e86890e8dd552b5e02150e5e6e878dc6261954c2d20a720015bbee16d7d01c0e

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 15:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-15_fd34823174acfd5fa2fd05da5a4725e5_icedid.exe
Size

284KB
MD5

fd34823174acfd5fa2fd05da5a4725e5
SHA1

d103897a021b2841221f31852bb0fe14aaebf8bb
SHA256

e86890e8dd552b5e02150e5e6e878dc6261954c2d20a720015bbee16d7d01c0e
SHA512

64863f0baaebd0b5c4bd605f602f6bd905594555f2c92c56ce01e5370ac1daf227f592e01cf8613caa57dd686ac1b08422a747284be9f7c2bcda365374706c5a
SSDEEP

6144:SlDx7mlcAZBcIdqkorDfoR/0C1fzDB9ePHSJ:SlDx7mlHZo7HoRv177ePH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2988	sethome3406.exe

Loads dropped DLL 2 IoCs

pid	Process
1996	2024-03-15_fd34823174acfd5fa2fd05da5a4725e5_icedid.exe
1996	2024-03-15_fd34823174acfd5fa2fd05da5a4725e5_icedid.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\system\sethome3406.exe	2024-03-15_fd34823174acfd5fa2fd05da5a4725e5_icedid.exe
File opened for modification	\??\c:\windows\system\sethome3406.exe	2024-03-15_fd34823174acfd5fa2fd05da5a4725e5_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/"	2024-03-15_fd34823174acfd5fa2fd05da5a4725e5_icedid.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1996	2024-03-15_fd34823174acfd5fa2fd05da5a4725e5_icedid.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1996	2024-03-15_fd34823174acfd5fa2fd05da5a4725e5_icedid.exe
1996	2024-03-15_fd34823174acfd5fa2fd05da5a4725e5_icedid.exe
1996	2024-03-15_fd34823174acfd5fa2fd05da5a4725e5_icedid.exe
1996	2024-03-15_fd34823174acfd5fa2fd05da5a4725e5_icedid.exe
2988	sethome3406.exe
2988	sethome3406.exe
2988	sethome3406.exe
2988	sethome3406.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2988	1996	2024-03-15_fd34823174acfd5fa2fd05da5a4725e5_icedid.exe	30
PID 1996 wrote to memory of 2988	1996	2024-03-15_fd34823174acfd5fa2fd05da5a4725e5_icedid.exe	30
PID 1996 wrote to memory of 2988	1996	2024-03-15_fd34823174acfd5fa2fd05da5a4725e5_icedid.exe	30
PID 1996 wrote to memory of 2988	1996	2024-03-15_fd34823174acfd5fa2fd05da5a4725e5_icedid.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-03-15_fd34823174acfd5fa2fd05da5a4725e5_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-15_fd34823174acfd5fa2fd05da5a4725e5_icedid.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996
- \??\c:\windows\system\sethome3406.exe
  c:\windows\system\sethome3406.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\abc.lnk

Filesize
965B

MD5
82d06f8c73eebb1b74fe3b9edb053057

SHA1
0c6034bd56615c2014877043b38bb08eb0b84588

SHA256
c630f36b5aa55d6c76653bddf50ab078559d5857e9a3b10441e3aa45d1daddba

SHA512
166dec84e97f1aa93f532b0bf796dad83b0b003a0b6f59d5d056ff33e8d475b2c37231bcea684820fefd0c3edc93982899f0631980b40eafc58bfcb792df7b2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk

Filesize
1KB

MD5
75cce316b564c158fbda780d89f44499

SHA1
2a75186bcfb35e331993660b11a979f7cb36c9c1

SHA256
03c166171fb631917aabce0cf9154aa54daa3ec1250ae2d0ff318f1bb287ae28

SHA512
4f5cc4d9beb0ea5b50c24f788400a3add04405e33df76fd587747d175c9770f6fb882d2cb7cd7a8c2236776a719c34df640743ede9b0d633c10d98ac6f2c4a44

Download Submit
C:\Users\abc.lnk

Filesize
1KB

MD5
94473870a41008a84ca735bb5ebf6a16

SHA1
aeeac632b8b75b011fac15755e46ea564224e857

SHA256
870e26260fe134abecd9983764d9c81e3597d8c82436146e9bc4d87d9bc55c77

SHA512
5f7eaac970f72a5971fc50e32c7622dc833c89b3c4de7f4bfd1afc7f0af3e09d0e384b6208391c0422f5f13beefd9ce13577080463105bbb0c4ee44a41533d67

Download Submit
\Windows\system\sethome3406.exe

Filesize
284KB

MD5
2e82f292f5382e3100c54f533bcf758a

SHA1
f6fb0b1839abd5cb3f145022201a0f986c366a50

SHA256
634ccbbba79d5e588ea66098a9883444d2441946830783ba16d428ca32e46997

SHA512
9dbe59384146b9bf57246ce95aabb0010917e9fc3143a5ddce7b30c38accc3b312963df5eb3a7a137d8a981e2a7675ff20d5dc6f3293c8f5d28f91f335aea5d3

Download Submit