1ef172af3ef8ec23c8c664a2eae7f10e04cc42f43a878769e5c81a911f402ece

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_807402b02f5e5406ebac6e73b7b6240e_icedid.exe
Size

9.4MB
MD5

807402b02f5e5406ebac6e73b7b6240e
SHA1

428c812f6c8f952245034ffb01f1f417c97bba3f
SHA256

1ef172af3ef8ec23c8c664a2eae7f10e04cc42f43a878769e5c81a911f402ece
SHA512

1a6a695fde0572c945b286205ae79194ed3c04af280027182944478eb034b6e4098e65ad59eaac28550bc02d7f669d0b5858440b562f3a005f36edf04c7e51de
SSDEEP

196608:8mY+1NXW58bgifwFGtzngdQRKaBiORREv4kdju/Px5XhCmaRAze:rNSifwFGtTgdzaB4v4kdOz3aRAze

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2384	autorun.exe
3064	Rar.dll
1316	DCrypto.dll
2268	DCrypto.dll

Loads dropped DLL 13 IoCs

pid	Process
2092	2024-03-19_807402b02f5e5406ebac6e73b7b6240e_icedid.exe
2384	autorun.exe
2384	autorun.exe
2384	autorun.exe
2384	autorun.exe
2384	autorun.exe
2384	autorun.exe
2384	autorun.exe
2384	autorun.exe
2384	autorun.exe
2384	autorun.exe
2384	autorun.exe
2384	autorun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2384	autorun.exe
2384	autorun.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2384	autorun.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2092	2024-03-19_807402b02f5e5406ebac6e73b7b6240e_icedid.exe
2384	autorun.exe
2384	autorun.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2384	2092	2024-03-19_807402b02f5e5406ebac6e73b7b6240e_icedid.exe	28
PID 2092 wrote to memory of 2384	2092	2024-03-19_807402b02f5e5406ebac6e73b7b6240e_icedid.exe	28
PID 2092 wrote to memory of 2384	2092	2024-03-19_807402b02f5e5406ebac6e73b7b6240e_icedid.exe	28
PID 2092 wrote to memory of 2384	2092	2024-03-19_807402b02f5e5406ebac6e73b7b6240e_icedid.exe	28
PID 2092 wrote to memory of 2384	2092	2024-03-19_807402b02f5e5406ebac6e73b7b6240e_icedid.exe	28
PID 2092 wrote to memory of 2384	2092	2024-03-19_807402b02f5e5406ebac6e73b7b6240e_icedid.exe	28
PID 2092 wrote to memory of 2384	2092	2024-03-19_807402b02f5e5406ebac6e73b7b6240e_icedid.exe	28
PID 2384 wrote to memory of 3064	2384	autorun.exe	29
PID 2384 wrote to memory of 3064	2384	autorun.exe	29
PID 2384 wrote to memory of 3064	2384	autorun.exe	29
PID 2384 wrote to memory of 3064	2384	autorun.exe	29
PID 2384 wrote to memory of 3064	2384	autorun.exe	29
PID 2384 wrote to memory of 3064	2384	autorun.exe	29
PID 2384 wrote to memory of 3064	2384	autorun.exe	29
PID 2384 wrote to memory of 1316	2384	autorun.exe	31
PID 2384 wrote to memory of 1316	2384	autorun.exe	31
PID 2384 wrote to memory of 1316	2384	autorun.exe	31
PID 2384 wrote to memory of 1316	2384	autorun.exe	31
PID 2384 wrote to memory of 1316	2384	autorun.exe	31
PID 2384 wrote to memory of 1316	2384	autorun.exe	31
PID 2384 wrote to memory of 1316	2384	autorun.exe	31
PID 2384 wrote to memory of 2268	2384	autorun.exe	33
PID 2384 wrote to memory of 2268	2384	autorun.exe	33
PID 2384 wrote to memory of 2268	2384	autorun.exe	33
PID 2384 wrote to memory of 2268	2384	autorun.exe	33
PID 2384 wrote to memory of 2268	2384	autorun.exe	33
PID 2384 wrote to memory of 2268	2384	autorun.exe	33
PID 2384 wrote to memory of 2268	2384	autorun.exe	33

C:\Users\Admin\AppData\Local\Temp\2024-03-19_807402b02f5e5406ebac6e73b7b6240e_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_807402b02f5e5406ebac6e73b7b6240e_icedid.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\2024-03-19_807402b02f5e5406ebac6e73b7b6240e_icedid.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\55db338ca11bb763f8e41043335d6c6a.tmp\Rar.dll
    "C:\Users\Admin\AppData\Local\Temp\55db338ca11bb763f8e41043335d6c6a.tmp\Rar.dll" x -y -ep -hp"Di+SK,,_o}hUN-%of]5-O5JQKo4TQAqY(Ne;KAio%mVZ!,DSUM71e582c37b0692dc41d8da88b70b6763" "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\bin\dll\code.dll"
    3⤵
    - Executes dropped EXE
    PID:3064
- - C:\Users\Admin\AppData\Local\Temp\55db338ca11bb763f8e41043335d6c6a.tmp\DCrypto.dll
    "C:\Users\Admin\AppData\Local\Temp\55db338ca11bb763f8e41043335d6c6a.tmp\DCrypto.dll" -k"EGVvUorVqS57YkVaChkRryr9urDOUGu1vBiUJpnd6F6PSpVneH71e582c37b0692dc41d8da88b70b6763" input-file C:\Users\Admin\AppData\Local\Temp\55db338ca11bb763f8e41043335d6c6a.tmp\command
    3⤵
    - Executes dropped EXE
    PID:1316
- - C:\Users\Admin\AppData\Local\Temp\55db338ca11bb763f8e41043335d6c6a.tmp\DCrypto.dll
    "C:\Users\Admin\AppData\Local\Temp\55db338ca11bb763f8e41043335d6c6a.tmp\DCrypto.dll" -e -k"EGVvUorVqS57YkVaChkRryr9urDOUGu1vBiUJpnd6F6PSpVneH71e582c37b0692dc41d8da88b70b6763" input-file "C:\Users\Admin\AppData\Local\Temp\55db338ca11bb763f8e41043335d6c6a.tmp\command"
    3⤵
    - Executes dropped EXE
    PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RGB Color Picker\Config.PKER

Filesize
142B

MD5
25ccb1ccee1d926ab4771a8f99043f63

SHA1
61cf9930c695e46772bcae1d4605e9aaf8a6f26b

SHA256
99b46976506aa39d5e4182e8548e99122f6cf3dd2680b75e1c1203d41a709ee6

SHA512
ad534535c949d8a895eac686be1181b4c2435a11ee0a24dfa2f0d10d4fab8dfd22528a3d74f2d68d745ed8ea29f2194008dbc0033c39ac35ab0780f5b9bef070

Download Submit
C:\ProgramData\RGB Color Picker\Config.PKER

Filesize
166B

MD5
99e622864cecdbb4a9dc240f4cb80dbf

SHA1
349a18b2f91b90c040dd27ab5f0945ed147dc581

SHA256
6061f9518ef278dd5f603bcc1d65c7d0bbd855539ce8ab3533b525b12272dc4a

SHA512
f71f83a4c4eb003eb793eb6e08e81ff4e8c58c2335ce5648e1c3af26d07e9a4b8d8a1f7a5782575feb8ed522f77d2a9b07d5f8485a1e644c6b78a9eb823760e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\55db338ca11bb763f8e41043335d6c6a.tmp\command

Filesize
150KB

MD5
8c77a632f23af975df09c66eebe2ac85

SHA1
46011922a61cc1bd93640a4446bd713b514487ab

SHA256
74e0081b83603ae4ef8c3f6da7bc6301302161b256bef4b2512f5f8f9d7542d8

SHA512
0cf3cb5e1b963b4f6e7fc7c244d968fe64466a2c2c48888e087ec22fdc2df1c695c3b66afa1cfdd41b5eab673bf87bb64201a7c194ce6718b59222d2fb7f37c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\DCrypto\DCrypto.lmd

Filesize
1.2MB

MD5
87f905cee63a71457deebe0c97be732d

SHA1
43d3812f12076c7221dcb92f90a9f56d29f7dc52

SHA256
aa8c725109e521319fb6846025e567025181e97a7e62a058df677c10f6f67142

SHA512
4328a23c0939d321760c08bd4cda1d3c6ba0d613fa4be9ee80f9b16867331a894a6ccd81caf66196ecb875f4cd1de59b19548862e1cf01b91ecd2e58b55d9d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\Object\Object.lmd

Filesize
58KB

MD5
0ab0aa8583d86f40bf33a8b0323ec3fa

SHA1
3521ebda81fca4e84fee5d18eec0dad7670a8b65

SHA256
e50072a4f6ca9c8d6591f252e1fc41e09da27f42b997a872a977c1497c3f4292

SHA512
362f456a0ec28ec642cdb576e38052fe669e8757979ac45a02f7f9a1d74b980620a3acb042dac4da6d78663674014fc5bbbc8673515ae1bcf4e7d7710294aeab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\ScreenShot\ScreenShot.lmd

Filesize
670KB

MD5
ca9ef5c0f4ed0e533d3cc063838448e1

SHA1
c0743cca00a83ddf1181d94be2584a8d6878e3ef

SHA256
f5fc2b6e4127532e8a28951799dd6a7687f149a04b4defd87d0f44233314d5b5

SHA512
23e7e04e0fc179debebca6d4a127239a72f58107a63f6484698c3006407c6d8ea5a98773c2e1cefab60808a6109ada53eac6f10fdffd7a509bd3d8dc74c56e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\Tray\Tray.lmd

Filesize
168KB

MD5
2a5e029637a89988a98aa5bd841d6356

SHA1
e5be44b9158af7c0ad71b2773f9e56b5e9938711

SHA256
218d3cfa7cbb5fbe3958ec6ae10b7d30d58139b0079aefa10df5aa353e8b9184

SHA512
96e5fc9e88e88636c065cbd8d6cbe3e4cecbf69a6893312103dd2effb58f718a0cced49d571b0ebab87a7598f8bebd84aafd90b2cc274bae66c7db0159332070

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\WinApi\WinApi.lmd

Filesize
312KB

MD5
0194f4b3ea555e5a2ec2c5aa38c3f47a

SHA1
5ca6ed374bfbea1a60dae6e5e5583561b10f9a09

SHA256
f1166c24279cd83a4bdf7bfe4906113b31db005608dcf688f62b53467807e65d

SHA512
0b0e15b92e61fa5b91cdd74a49ce8aa80f3ce29e2df4bacba51cd41191f9904291ab41ec3be33057c92e8f254716c914d2b28f8b0e8fabe60a32bae34e9bb709

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\sb_Schulze.png

Filesize
1KB

MD5
e782074591dd7916af6c223168b2f6e9

SHA1
2b8a946e45b0733ea3f6884de99f14ae78678c2d

SHA256
3ab6f742d19836d82eedd6047e221922efd481b7fd1b116d6fc25d14c5111cc1

SHA512
f0d60bcdc7be5e0e6e56d9fa795762a0121fb27ac8c6a824ee0908de891e59c5d935fe225ab2d03d0ff080f95e3c447d66e3101f1222353b3eeec8dd548aaa32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

Filesize
2.6MB

MD5
c75ac709137bd12e95af65fe4942b9e6

SHA1
535fe613ffdd5242aa154a4554f4bc3c7f2f18ce

SHA256
a389a99a6c1e81d5a1b32839af94ec24dced7e9e2735c2bf447fb54a51be5a3d

SHA512
eadbe267817227ce0b903a55729edaa64c8736777c3e8cda1a8538f7fe32995f9289ae2f08008af06d04ae2809ec28603915436df8610441b00d4b22e02747c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
1.5MB

MD5
18787506aaa2b620ac6b3ece5dbac2b0

SHA1
e1b127101ac6cc763440aa3c157dda413f1b2630

SHA256
ec5318410c4a3a2469e141d1232a99b89e0243ebd01dd54ef3b585e7f5454d95

SHA512
81862a2086ffb78f2d4985b2bed032b77ac353f1d2fb9492d9d515540062cfd3ea008a699095c2aeb3e31a4f7c6ce1c00ff0d1101a601c9b1e07fc59909d984d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
128KB

MD5
890d55bacf952f0f75a7daa65a7ac6e7

SHA1
6fcf076bae434fb3def7b8c4f8d0cca92904e2df

SHA256
dc8458b223d20f9d51fac02c720c887984073e9da1188a9754292b9a1348906a

SHA512
6ea2a6ff5afb2df381ce5e7f4e4ab09eac022d014096d2f531952481613b893614e6cb6791e236fd7cf8703666a0fa9b17b2ead56a80d6d77e4795f00f8a27a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
6.6MB

MD5
5f23edda2b3d7b14b93ebdfc5cc94fb9

SHA1
d11cc139cc9db201901d45a41a6935743c5c58b3

SHA256
f75947e753fc2bb6754f44aa9c1cf9c2f32a3362a40f7752cef43b1faf5f2792

SHA512
50c000ed004a299670f2d4ea5de04b982382fb1b48ccd11608a5bce66543356c72cc0aa1cccaddd4aa3e72e8079cacd30ccf9768f989e69113e7b62121dd9ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\bin\Images\close.png

Filesize
3KB

MD5
e1292169570d02e81363e4532da127f9

SHA1
91aaab6b013ba5622d84046574a2dc242667a3cb

SHA256
e6e1448d3e8ebfd4465747641b0379552919ed874f8aebd399dca5c2f7afd402

SHA512
74889a41fdba5fed6fd8b8b4e57abb857ae99b8147016a456af3d76ec471644f6e833b995c7473467f1dc99d2b554dd166c7d81622055a5f272968a5c4e8f237

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\bin\Images\logoLicense.png

Filesize
1KB

MD5
cb56730a9751e094dfbe9fa8113eae9f

SHA1
f92852da77a2d31b2cbbf3ce8a3bfb2c466b8d8e

SHA256
a14003a4ddedddbe3bd79162b928fd3f9b9d0edc5671cbb32990db235f2ea104

SHA512
9ddc70855e0df883ba2d09362dbb45be1a9fd762b58ddcf7446996a4e5c2160fa564a90fd4ca8d49b2cd4e8cc0f273f6dfadfa4b9716eda9edf2f3920a216873

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\bin\dll\code.dll

Filesize
110KB

MD5
dfc8775b7c44b46b0d57d1a4d9fdc717

SHA1
1902dc2447107dafff844e152e4c1181eb86bc05

SHA256
b9ada262eda54d4335f2a51992ba36be6d548a6fb884327fcf9413e469ce7486

SHA512
222e6e2d923cfe3e5d0f8b64b01dc0352d27db38b1cf76a0b9e7f5bd22aba8ae1a57d9a2ef675392031203c691a19922df35f337525abf858738d745e35706a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\bin\lang\lang.dll

Filesize
24KB

MD5
c1bcd3aae1c812fd3828641580f193e8

SHA1
c2891c60f89db859d7e6ad49da856b6928193498

SHA256
03b4f71fc9063ea2651722fecb2367a59915eeff1018037394e88c519f534f97

SHA512
f0bab3100b0f3c3c9e2e610f2c6f55ed5ef00b3c1091a1e84fd04d4396676d7256d77f65409b1ad9be4ba76f971ab2cffffbeb5b80961847ced1dd3783f9e624

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\icon.ico

Filesize
612KB

MD5
9c533e591fb65dfe9fcca06f40da5458

SHA1
9e473e47b6a9ea271712db32d2b45585937f6cd6

SHA256
4bd5e2091f31197a4413574c729a7135e31f0c4cb1ff40f5e156fedcc7f0ffcf

SHA512
fecf721074f5208e2e457c0712b8257342401d6c324601a3e22fdf88335378ae9aca244806464fac8c64ab002224c42bd306ab80ba69fea94947bbe22b2b0fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll

Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
\Users\Admin\AppData\Local\Temp\55db338ca11bb763f8e41043335d6c6a.tmp\DCrypto.dll

Filesize
62KB

MD5
afcdecd90ab5adcf41af018b07a8321c

SHA1
ffa49cbef18b792eba25760f956a347acc5d433a

SHA256
56b67e3ff410fd3699134404aba549355d0ab2348fead74b6675bb1d5c5c47a1

SHA512
643312e3c7c8091a3b6a1311b19e50f6f44094f953c2f3e4c6b88e5fb011ce3f1dda6a2e1345329e489821f7db9d1f9ea8352b36d43e226802d8d0c2d0548696

Download Submit
\Users\Admin\AppData\Local\Temp\55db338ca11bb763f8e41043335d6c6a.tmp\Rar.dll

Filesize
623KB

MD5
300d43860dc6961bbece819912c930bc

SHA1
61cc9b17fae66451327e8f9a7103b9728eb5c95c

SHA256
792708ce3fec9da37408ce4179b118d79b4804878d233c602b490c3bd0eaf02a

SHA512
f74cd7c28e2a267e6b51fa2a8a36380f5766195f7216fd9ee1f76e708343520e9cb60f620fd86114b947589d9f8fdaaa209cf190a5d014bf251ab8bd182fd541

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\ECrypto\ECrypto.lmd

Filesize
211KB

MD5
9e31236fe439e4bce39dae3b687e8fb0

SHA1
83e4b9f768272b8c940688e827d2ea5a031eb253

SHA256
0156093d2bb3b2db93699051b33db4a325ec719ce09ea36cc9beca3c2524c9a6

SHA512
bc48ed440be37b17e5e3ba25f99d86f9efa7129214986957152d00bf338af55d27b712be9bc8cdb3d192269808f4cd1f0988f199b24bbe394e65dfe87bc42443

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
2.4MB

MD5
22249a80053347587c2c360449bdf716

SHA1
02d5d227905ac0a5d2359cbafa7234dfd9e4b941

SHA256
500ff4bf0f5ac93b3b655e10a1e6780ec7dee9a2ab888f0843b92e5685eb60bd

SHA512
c9c0f51c8aa935c93f40eaa4e04d9f73253528383af9634caa018dd47c38fe8164ea5382d2dd44f3dd1655fe5c162d1e0ff91b79ad82dd34772da5f79c629cd0

Download Submit
memory/2384-254-0x0000000007780000-0x0000000007864000-memory.dmp

Filesize
912KB

Download
memory/2384-233-0x00000000044C0000-0x00000000045EA000-memory.dmp

Filesize
1.2MB

Download
memory/2384-250-0x00000000076C0000-0x0000000007780000-memory.dmp

Filesize
768KB

Download
memory/2384-242-0x00000000045F0000-0x000000000462A000-memory.dmp

Filesize
232KB

Download
memory/2384-247-0x00000000064B0000-0x000000000655D000-memory.dmp

Filesize
692KB

Download