Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/04/2024, 19:31
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe
Resource
win7-20240221-en
General
-
Target
2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe
-
Size
284KB
-
MD5
3ea811646f5879f610c1c28e8f9b3d94
-
SHA1
566c3d6db137593599d4cdf5f6509ab3ff0db66e
-
SHA256
4fc4aaebf044b4c4dfe45737f94baf194dbc156bcc2810a87af4fc458cb15074
-
SHA512
b78fe6f3ea39aeb76b2968c1b9f663980827eb674a1971bb43da6cbd3e656301d140d886405b7aa432605b510c47e0236104af91f845240f4f1ebda7c3e70fa9
-
SSDEEP
6144:9lDx7mlcAZBcIdqkorDfoR/0C1fzDB9ePHSJ:9lDx7mlHZo7HoRv177ePH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2444 sethome7526.exe -
Loads dropped DLL 2 IoCs
pid Process 2476 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe 2476 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification \??\c:\windows\system\sethome7526.exe 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe File created \??\c:\windows\system\sethome7526.exe 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/" 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2476 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2476 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe 2476 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe 2476 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe 2476 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe 2444 sethome7526.exe 2444 sethome7526.exe 2444 sethome7526.exe 2444 sethome7526.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2476 wrote to memory of 2444 2476 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe 30 PID 2476 wrote to memory of 2444 2476 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe 30 PID 2476 wrote to memory of 2444 2476 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe 30 PID 2476 wrote to memory of 2444 2476 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\windows\system\sethome7526.exec:\windows\system\sethome7526.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
965B
MD5470c90674fefd449bbd566dc219bb12c
SHA1ed6bf4ba6bd3afc32683ef5834fe337118ab8b3b
SHA2567d86c5c7290730d016b6b196e5ccbe1b93a8839f6f61911345b22c3c0828554e
SHA512affb0be3d2422a660d4a6a86e076632df313387ca24c0f0168ea644999e134f440c28b66c3f0b7c6e93f52750c0a86aaeb9d069f2c495cf97cbcd960826f8c5e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
Filesize1KB
MD528bc852174635c1177fcb3b49d7d1f16
SHA1ad4482730dd2583acac572e02119aa5424c12f17
SHA25620afc74913b099cdf7aab4c2d216134a290e7a65886f9a783f67fae6b929f317
SHA512398f8e4a0643d3d578466a2ffaf5a6c7707cc734dd0819b05b31fcb34d14269cd4cbb758b7e29a99a250bc1b5bf9404df25a0f0bb27e2193c69620c1cee6e12b
-
Filesize
1KB
MD5a1dc5e64fd9240773402bf2481e25ccf
SHA1da531501f138a8dbf4ffd619508e19ffe517cf7d
SHA2565a2df053995d0ae68a0eab5f99858895a1be291702c817284b954af6f40e040f
SHA51252e55482914b513fc41c198def5444a3eb82b61aac0c167aa58f475bdf122827ea735d50553c0f273bd081cbf52c61d415f95df6bd970f2f8ead0d4e541b80fa
-
Filesize
284KB
MD53f4f24abf3187230201cdbdf3f0b8d60
SHA144640e8805ae1e2ca9f0fb4090ec231b6692a61e
SHA2562e3d36480d0805b515b7c1b23a979e899e29c213db09244e5831e25f95677351
SHA5121ce972892362ea5e11602e0f9f10feb87444c28cf37f1f7da6ca2d039a145a77e76434caac40597387a9b6ec95e538a76f76cf11ad44f30b6cdf06280dc0b1ae