27b657b49598572928be04ab81dc3a0e65c9f63a05d4df8ad75f47278b6129c7

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2024, 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
Size

7.4MB
MD5

da5e643a1f593b31fdd8f2c5cf9d6e7e
SHA1

a7b10fc162dbfc7d4bb22142914efa6b18dbf6ad
SHA256

27b657b49598572928be04ab81dc3a0e65c9f63a05d4df8ad75f47278b6129c7
SHA512

c15e498b0f2ddba6b1f20b5e5b7ed7c9f1bfb6a8df1e8268c88b1c94f854fb2156536afc39aca50f8fba6bbc0bba95b3e6935bd2d439d83a6209b12f3492ba91
SSDEEP

98304:3u5x6M1Wo8oboPHbsDudMYFhHZh4HbsDu:AiZGDDudDhzDu

Score

8^/10

persistence ransomware

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\drivers\spo0lve.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\AppData\\Local\\Temp/2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe"	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pigdesk.bmp"	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File created	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File created	C:\Program Files\Windows Mail\wabmig.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoia.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File created	C:\Program Files\Windows Media Player\wmlaunch.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotd.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
File created	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\TileWallpaper = "2"	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\WallpaperStyle = "2"	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
2236	2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe

C:\Users\Admin\AppData\Local\Temp\2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-18_da5e643a1f593b31fdd8f2c5cf9d6e7e_icedid.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Uninstall.exe

Filesize
7.4MB

MD5
92b227edbe56b26170ef27a9eaf412dc

SHA1
e56ee6919844e89e9476341a777c417aca7d4f38

SHA256
277367ed2042f30b9467e558c94bc3f3efaab4115e231830b8b06801d1962343

SHA512
295cae23ec2625cc851916f1d5b890ba32d43c9aeb3dc323872c3821c1369aff3e111fad9257ef62f3ee91bf023f8c4be32a7a98fbd12ae0cddb8f88d332e08b

Download Submit