d61b83ccbe8a440efc227f483a6a67000d7fb671b4c38227a2068fa4e5528e23

Analysis

max time kernel
142s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 18:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe
Size

2.0MB
MD5

890ccdd953ad624f557516c5f94ef5ec
SHA1

0137cd95c0cfbb4ea2659253b13f781a980914c0
SHA256

d61b83ccbe8a440efc227f483a6a67000d7fb671b4c38227a2068fa4e5528e23
SHA512

c7ce61f6ebb9b77d0ea5e63be869b9528e34d3c8add9ee34464d1f8f12b7f8a92d9a27fe3d3bbe70d680040f0fab909efdfb7e3e72425db2390d96c80616b11a
SSDEEP

49152:vnsHyjtk2MYC5GDuTq24GjdGS9hWb2J3Y2p9tGk5fA:vnsmtk2aeEjdGSGb2Jo2b75fA

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 8 IoCs

resource	yara_rule
behavioral2/files/0x000c00000002315b-5.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000700000002320a-65.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000700000002320a-126.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000700000002320a-128.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/444-130-0x0000000000C30000-0x0000000000D6E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3632-127-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4560-242-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4560-276-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables (downlaoders) containing URLs to raw contents of a paste 8 IoCs

resource	yara_rule
behavioral2/files/0x000c00000002315b-5.dat	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral2/files/0x000700000002320a-65.dat	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral2/files/0x000700000002320a-126.dat	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral2/files/0x000700000002320a-128.dat	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral2/memory/444-130-0x0000000000C30000-0x0000000000D6E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral2/memory/3632-127-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral2/memory/4560-242-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral2/memory/4560-276-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

Detects executables Discord URL observed in first stage droppers 8 IoCs

resource	yara_rule
behavioral2/files/0x000c00000002315b-5.dat	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/files/0x000700000002320a-65.dat	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/files/0x000700000002320a-126.dat	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/files/0x000700000002320a-128.dat	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/444-130-0x0000000000C30000-0x0000000000D6E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/3632-127-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/4560-242-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/4560-276-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL

Detects executables manipulated with Fody 8 IoCs

resource	yara_rule
behavioral2/files/0x000c00000002315b-5.dat	INDICATOR_EXE_Packed_Fody
behavioral2/files/0x000700000002320a-65.dat	INDICATOR_EXE_Packed_Fody
behavioral2/files/0x000700000002320a-126.dat	INDICATOR_EXE_Packed_Fody
behavioral2/files/0x000700000002320a-128.dat	INDICATOR_EXE_Packed_Fody
behavioral2/memory/444-130-0x0000000000C30000-0x0000000000D6E000-memory.dmp	INDICATOR_EXE_Packed_Fody
behavioral2/memory/3632-127-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_EXE_Packed_Fody
behavioral2/memory/4560-242-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_EXE_Packed_Fody
behavioral2/memory/4560-276-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_EXE_Packed_Fody

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
444	._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe
4560	Synaptics.exe
4924	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
25	pastebin.com
29	pastebin.com
30	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1496	444	WerFault.exe	84
324	4924	WerFault.exe	87

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2996	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
444	._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe
4924	._cache_Synaptics.exe
444	._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe
4924	._cache_Synaptics.exe
444	._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe
4924	._cache_Synaptics.exe
444	._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe
4924	._cache_Synaptics.exe
444	._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe
4924	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	444	._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe
Token: SeDebugPrivilege	4924	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2996	EXCEL.EXE
2996	EXCEL.EXE
2996	EXCEL.EXE
2996	EXCEL.EXE
2996	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3632 wrote to memory of 444	3632	2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe	84
PID 3632 wrote to memory of 444	3632	2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe	84
PID 3632 wrote to memory of 444	3632	2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe	84
PID 3632 wrote to memory of 4560	3632	2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe	86
PID 3632 wrote to memory of 4560	3632	2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe	86
PID 3632 wrote to memory of 4560	3632	2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe	86
PID 4560 wrote to memory of 4924	4560	Synaptics.exe	87
PID 4560 wrote to memory of 4924	4560	Synaptics.exe	87
PID 4560 wrote to memory of 4924	4560	Synaptics.exe	87

C:\Users\Admin\AppData\Local\Temp\2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Users\Admin\AppData\Local\Temp\._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 1688
    3⤵
    - Program crash
    PID:1496
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1684
      4⤵
      Program crash
      PID:324

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4924 -ip 4924
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 444 -ip 444
1⤵
PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
384KB

MD5
d4eb82a1d0c7985f2c4f5a0178d9a5e1

SHA1
58bf51386cc471e90d7e6e217774c2b93c17c95e

SHA256
0bbf51a3de754fac2e26c9df7ea5d458f115918282d114eb6a52a481df33a2ea

SHA512
a8ac9d665d4324c605efeddf42b29963e0688fc321d61ddec43ad336e31bbb98b44d98c2caa763f0f8742930bc6ef52eccb32f6551b2dcb8cf38494f57afcb5b

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.6MB

MD5
b47fee981e848287c2edb597fae2b804

SHA1
c9d21a6182caa3d442b636a62b35a0a87a07d900

SHA256
c1a81dde828b44224606933875b3cf4b0bc494742e17968c389bf1d8e15e8a20

SHA512
7414e39207efcf7105498e6e30209448718470dc28c7c50ac6fce735c0754fafa8127977abc641bcff05cff88ed4251916b69e9a16781d3c492a7f3d5b8de62f

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.0MB

MD5
890ccdd953ad624f557516c5f94ef5ec

SHA1
0137cd95c0cfbb4ea2659253b13f781a980914c0

SHA256
d61b83ccbe8a440efc227f483a6a67000d7fb671b4c38227a2068fa4e5528e23

SHA512
c7ce61f6ebb9b77d0ea5e63be869b9528e34d3c8add9ee34464d1f8f12b7f8a92d9a27fe3d3bbe70d680040f0fab909efdfb7e3e72425db2390d96c80616b11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe

Filesize
1.2MB

MD5
c0ea55286540db56bee76d56ccb295bc

SHA1
c7c63f6ffab5925ba9c7d9f9e4f7b494bc00eb68

SHA256
310739bba1cf863d2d54e2fa15a48f3163dd2eee9839c70db4cd4aa435da44fa

SHA512
e8ca1f979d329cd7cd4a6bd46fcf5abbebac3dad138c8cd751489751dccccd8eea092161fe8130b59d3cdd5cfa724bb59f7178a70c3fe62a6557be763c419c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\CheckerCfg.ini

Filesize
153B

MD5
93f58e7229530ad2b22774f170a2f581

SHA1
ad0112b8a300283d645b2070f15c58777688154f

SHA256
aa7f10c8d0eca33b326ebb1f41f160fc59c04dbc60fac4c150e32c466181689d

SHA512
3bce7f38886bf105e1fcf21b04a320c69f62ead7026958e7e7c2144b6fb9dc0b002b52f5a2fbafc681926a42e68528ddf39c8e218112724345a5129d35dd2c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWuFQhRr.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/444-130-0x0000000000C30000-0x0000000000D6E000-memory.dmp

Filesize
1.2MB

Download
memory/444-240-0x0000000072FF0000-0x00000000737A0000-memory.dmp

Filesize
7.7MB

Download
memory/444-199-0x00000000057A0000-0x00000000057BC000-memory.dmp

Filesize
112KB

Download
memory/444-182-0x0000000001680000-0x0000000001692000-memory.dmp

Filesize
72KB

Download
memory/444-183-0x0000000005650000-0x00000000056E2000-memory.dmp

Filesize
584KB

Download
memory/444-191-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/444-194-0x0000000001600000-0x0000000001626000-memory.dmp

Filesize
152KB

Download
memory/444-195-0x0000000005AE0000-0x0000000005B8A000-memory.dmp

Filesize
680KB

Download
memory/444-196-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/444-129-0x0000000072FF0000-0x00000000737A0000-memory.dmp

Filesize
7.7MB

Download
memory/2996-205-0x00007FFE64610000-0x00007FFE64620000-memory.dmp

Filesize
64KB

Download
memory/2996-216-0x00007FFEA4590000-0x00007FFEA4785000-memory.dmp

Filesize
2.0MB

Download
memory/2996-200-0x00007FFE64610000-0x00007FFE64620000-memory.dmp

Filesize
64KB

Download
memory/2996-203-0x00007FFE64610000-0x00007FFE64620000-memory.dmp

Filesize
64KB

Download
memory/2996-204-0x00007FFEA4590000-0x00007FFEA4785000-memory.dmp

Filesize
2.0MB

Download
memory/2996-206-0x00007FFEA4590000-0x00007FFEA4785000-memory.dmp

Filesize
2.0MB

Download
memory/2996-208-0x00007FFEA4590000-0x00007FFEA4785000-memory.dmp

Filesize
2.0MB

Download
memory/2996-207-0x00007FFE64610000-0x00007FFE64620000-memory.dmp

Filesize
64KB

Download
memory/2996-249-0x00007FFEA4590000-0x00007FFEA4785000-memory.dmp

Filesize
2.0MB

Download
memory/2996-202-0x00007FFEA4590000-0x00007FFEA4785000-memory.dmp

Filesize
2.0MB

Download
memory/2996-209-0x00007FFEA4590000-0x00007FFEA4785000-memory.dmp

Filesize
2.0MB

Download
memory/2996-210-0x00007FFEA4590000-0x00007FFEA4785000-memory.dmp

Filesize
2.0MB

Download
memory/2996-211-0x00007FFEA4590000-0x00007FFEA4785000-memory.dmp

Filesize
2.0MB

Download
memory/2996-213-0x00007FFEA4590000-0x00007FFEA4785000-memory.dmp

Filesize
2.0MB

Download
memory/2996-212-0x00007FFE62390000-0x00007FFE623A0000-memory.dmp

Filesize
64KB

Download
memory/2996-214-0x00007FFEA4590000-0x00007FFEA4785000-memory.dmp

Filesize
2.0MB

Download
memory/2996-215-0x00007FFEA4590000-0x00007FFEA4785000-memory.dmp

Filesize
2.0MB

Download
memory/2996-198-0x00007FFEA4590000-0x00007FFEA4785000-memory.dmp

Filesize
2.0MB

Download
memory/2996-218-0x00007FFEA4590000-0x00007FFEA4785000-memory.dmp

Filesize
2.0MB

Download
memory/2996-217-0x00007FFE62390000-0x00007FFE623A0000-memory.dmp

Filesize
64KB

Download
memory/2996-248-0x00007FFEA4590000-0x00007FFEA4785000-memory.dmp

Filesize
2.0MB

Download
memory/2996-197-0x00007FFE64610000-0x00007FFE64620000-memory.dmp

Filesize
64KB

Download
memory/3632-127-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3632-0-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/4560-175-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/4560-242-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4560-246-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/4560-276-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4924-221-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/4924-222-0x00000000052B0000-0x00000000052D2000-memory.dmp

Filesize
136KB

Download
memory/4924-220-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/4924-241-0x0000000072FF0000-0x00000000737A0000-memory.dmp

Filesize
7.7MB

Download
memory/4924-219-0x0000000072FF0000-0x00000000737A0000-memory.dmp

Filesize
7.7MB

Download