e6b3dd968205b3fbe67c5a316776a5c239ed75f2c3494090c94e55cf58c0ac96

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 20:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
Size

5.0MB
MD5

34ecf1778be97a77d7d5f97ed7fab4c7
SHA1

19c0e3e539ba11b28ba11c340fcce0035f4bbab6
SHA256

e6b3dd968205b3fbe67c5a316776a5c239ed75f2c3494090c94e55cf58c0ac96
SHA512

abe48d9991d569a746a4c03a75dc94af8413b78d5a9d4769adea4d916fe4f92d42c905775bb0ee3358b92c4cb7441dfb72855ed745e2c93f3eb00d3d01f8a8b4
SSDEEP

98304:0eyxOT2yYv9eaHzRInuOBfKLpj3DK0d/HkANIeatvqEgG5Dw7:0s2QalInuLNDJd/9N6MGq7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	MS¸üÐÂÆ÷.exe

Executes dropped EXE 2 IoCs

pid	Process
2268	MS¸üÐÂÆ÷.exe
3040	rar.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\rar.exe	MS¸üÐÂÆ÷.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
2268	MS¸üÐÂÆ÷.exe
2268	MS¸üÐÂÆ÷.exe
3040	rar.exe
3040	rar.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 2268	744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe	93
PID 744 wrote to memory of 2268	744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe	93
PID 744 wrote to memory of 2268	744	2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe	93
PID 2268 wrote to memory of 3040	2268	MS¸üÐÂÆ÷.exe	94
PID 2268 wrote to memory of 3040	2268	MS¸üÐÂÆ÷.exe	94

C:\Users\Admin\AppData\Local\Temp\2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_34ecf1778be97a77d7d5f97ed7fab4c7_icedid.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:744
- C:\Users\Admin\AppData\Local\Temp\MS¸üÐÂÆ÷.exe
  C:\Users\Admin\AppData\Local\Temp\MS¸üÐÂÆ÷.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Program Files\rar.exe
    "C:\Program Files\rar.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\rar.exe

Filesize
3.1MB

MD5
76982a06a2dc02dbaec9fbdc8880f05c

SHA1
8062066a4817afeabbf766728611c83c8d99fc69

SHA256
b1a2b3ef0cb9beca15ecae7393e0a4d591fa2268a1bde4a11ae56489a90001e2

SHA512
f2221b89d3914175451be7f2396c7c229c79f22c8f9ee79db96fe3816fca26fa63ec7f0ca3be807f3c47b64cda43a049c7cd4aacbee4aa674f6a684dec2c9d38

Download Submit
C:\Program Files\rar.exe

Filesize
2.1MB

MD5
95e2e7e288216119da43132ff3766cc1

SHA1
e46c0478dfedd51fa1d2422f936c83c926186519

SHA256
e643ae3135c538ae34e256d874663e16708f6649ea3e785c5bfe2da575a2d752

SHA512
4be6bd21ec935e42e66be26d4881c4ae1e19da5356654a1e6fe29a5dd1630abdf8148f86cd2ae3c7ad123b9e9c6acfe74adaea2b58e22024d653795a336fd374

Download Submit
C:\Program Files\rar.exe

Filesize
2.2MB

MD5
948d456f17d82eecb845e94035b78289

SHA1
4c4d86575c98de176a4516765d0e3d6442f187b5

SHA256
e5032ce40350fa298c2881b298101e2b94dfd0c68cf314d42a40c58d5e61efa0

SHA512
a0bf0130ca384a58161b863454a63d8d441d7b2ac67e3da1da4d0d00fdb22030927e04f51858c12ef578ea570f1e95f7f8e614f13a4d0a91617d680c06fbab95

Download Submit
C:\Users\Admin\AppData\Local\Temp\MS¸üÐÂÆ÷.exe

Filesize
934KB

MD5
9057a8715449b66929851a2c6017801b

SHA1
df578272bb95b47da8b9be6f8ca1682b3195719b

SHA256
a18892e0c300cf31451fbf651196924e5ff71a35c42ee08c3bc1231782de39bf

SHA512
843a73c603db07e52e4e0101f8eba11bec7c0b0da1770b4974fa27016f08a4ff7c5835a58736ebc0b60dff2f547046af1651a0aeeae003be06242a6d8d872526

Download Submit
C:\Users\Admin\AppData\Local\Temp\MS¸üÐÂÆ÷.exe

Filesize
689KB

MD5
519350a3125ec21bad5799dcf280648f

SHA1
1e0294405ef860b7df46313ee0421fa3647a29e1

SHA256
14f20230225bded9c85d6f82ca3f98a6a126038e4f9c6523302fcc2ec62a8fb4

SHA512
28cee3ae54eb14dfffc27ea12c205341cd1ed67fbb4e6cf63e3906c8f5fcef5f049011bb7060ff1adb854d1e8969adf0cf458f98ff28231d3c4ae0c90ee0b905

Download Submit
memory/744-7-0x0000000002800000-0x000000000280F000-memory.dmp

Filesize
60KB

Download