a75f33a11dfae22c89d316c96764a9c224b155508813b10b2653ad99398bb744

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 01:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-15_32bc0a7b28762f359a582601e29c03fe_icedid.exe
Size

4.8MB
MD5

32bc0a7b28762f359a582601e29c03fe
SHA1

b3bb424533b4c32448b081fc799c056438615244
SHA256

a75f33a11dfae22c89d316c96764a9c224b155508813b10b2653ad99398bb744
SHA512

6fb9912b73444913d5e5b0bb450465028c5087b2e8c05c96ba4e17af7cb1be0559a0b19c5ab6d8cb67beef738f93beb69179ab6ba8372d845afbdbe4804b3408
SSDEEP

98304:K8dH6yIUmsPUeeczoxUGm+cKAeIpFkKTpTmaFbh4kKVwlsxyOQ6:99IUPUpUGm+cJmGbhwCsxz9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2956	FlashRegistrar.exe

Loads dropped DLL 3 IoCs

pid	Process
320	2024-03-15_32bc0a7b28762f359a582601e29c03fe_icedid.exe
2956	FlashRegistrar.exe
320	2024-03-15_32bc0a7b28762f359a582601e29c03fe_icedid.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	2024-03-15_32bc0a7b28762f359a582601e29c03fe_icedid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	2024-03-15_32bc0a7b28762f359a582601e29c03fe_icedid.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\ = "Shockwave Flash Object"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS\ = "0"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\ = "Shockwave Flash Object"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.mfp	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf\Content Type = "application/x-shockwave-flash"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\ = "Shockwave Flash Object"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl\Content Type = "application/futuresplash"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "FlashFactory.FlashFactory"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\ = "Shockwave Flash Object"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mfp\ = "MacromediaFlashPaper.MacromediaFlashPaper"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.swf	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash\Extension = ".spl"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\ = "Shockwave Flash Object"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib	FlashRegistrar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1\ = "131473"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer\ = "FlashFactory.FlashFactory.1"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\ = "Shockwave Flash Object"	FlashRegistrar.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
320	2024-03-15_32bc0a7b28762f359a582601e29c03fe_icedid.exe
320	2024-03-15_32bc0a7b28762f359a582601e29c03fe_icedid.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 2956	320	2024-03-15_32bc0a7b28762f359a582601e29c03fe_icedid.exe	28
PID 320 wrote to memory of 2956	320	2024-03-15_32bc0a7b28762f359a582601e29c03fe_icedid.exe	28
PID 320 wrote to memory of 2956	320	2024-03-15_32bc0a7b28762f359a582601e29c03fe_icedid.exe	28
PID 320 wrote to memory of 2956	320	2024-03-15_32bc0a7b28762f359a582601e29c03fe_icedid.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-15_32bc0a7b28762f359a582601e29c03fe_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-15_32bc0a7b28762f359a582601e29c03fe_icedid.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:320
- C:\Users\Admin\AppData\Local\Temp\CPE6D0C.tmp\FlashRegistrar.exe
  C:\Users\Admin\AppData\Local\Temp\CPE6D0C.tmp\FlashRegistrar.exe R C:\Users\Admin\AppData\Local\Temp\CPE6D0C.tmp\Flash.ocx
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CPE6D0C.tmp\Flash.ocx

Filesize
31KB

MD5
4a1b5347d6e359198c87fb0c84c1900f

SHA1
ff1dca89c44db268b5037fc4fc602f34df627744

SHA256
c73fbd09683ca4026ba4ec1545fd06432959115d4fe007488974a601b603688c

SHA512
1b3a68e404c25cefbd2088e214421d1627eea4148fa63130f77fa78c1fce516b30c7cb17c020d98388dcb5406b7bcd1460b3519e6c28e2a181376abb24fbcbca

Download Submit
\Users\Admin\AppData\Local\Temp\CPE6D0C.tmp\Flash.ocx

Filesize
2.8MB

MD5
51b0593dddeb7e023518bed54da75860

SHA1
7b816b226b07fcf9dbfdc83a208e74e2738cb212

SHA256
60250f88a02e465b5de0ffc1f88e69316cb6b67b35a9a91a55b419a335be0aba

SHA512
14b1fe2d38f43c5d32ea0d3234c0b29d03a8be570ebe2b340827bc48ed49a1f6383a90cc97237a93a693847c550c54e3842474ce5699f99fc533e148e4c9e837

Download Submit
\Users\Admin\AppData\Local\Temp\CPE6D0C.tmp\Flash.ocx

Filesize
1.8MB

MD5
6dc268328625eef90cedaf812ac5ffa5

SHA1
9d361dea4b960d495d86bb66e1e92ac2620e7419

SHA256
9a218f070d0e8773efd4b09f752c3985d54094daea4615785e3121805889ff6d

SHA512
9eec95d10a862a8618d167b06ad8181e2dd8a0058553f461cbe2c7bdac39bd290cf99b17626457b416ba348c33cd3da0db6de7533765a33fb59620e97e4e80a1

Download Submit
\Users\Admin\AppData\Local\Temp\CPE6D0C.tmp\FlashRegistrar.exe

Filesize
63KB

MD5
ed4bb3a88c0d63c029126e6e5cba625e

SHA1
f6bbc2ee6079b006e5c811f1e0a1a36a8aafdebc

SHA256
0538bc97b726aa5a4c90705f0141eb86b26e240ea035ae4d96211f985d6220dd

SHA512
cda6b6adcdfc08f1846bbc55a514793960d7bebe792e3ac032ace2b83d1f00ebabcc69263ab66b1f8ed22487bedc6c816e795a66955f04da28a33621fe717a9e

Download Submit
memory/320-9-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download