Analysis
-
max time kernel
137s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 19:31
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe
Resource
win7-20240221-en
General
-
Target
2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe
-
Size
284KB
-
MD5
3ea811646f5879f610c1c28e8f9b3d94
-
SHA1
566c3d6db137593599d4cdf5f6509ab3ff0db66e
-
SHA256
4fc4aaebf044b4c4dfe45737f94baf194dbc156bcc2810a87af4fc458cb15074
-
SHA512
b78fe6f3ea39aeb76b2968c1b9f663980827eb674a1971bb43da6cbd3e656301d140d886405b7aa432605b510c47e0236104af91f845240f4f1ebda7c3e70fa9
-
SSDEEP
6144:9lDx7mlcAZBcIdqkorDfoR/0C1fzDB9ePHSJ:9lDx7mlHZo7HoRv177ePH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3836 sethome2718.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created \??\c:\windows\system\sethome2718.exe 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe File opened for modification \??\c:\windows\system\sethome2718.exe 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/" 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2768 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe 2768 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2768 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe 2768 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe 2768 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe 2768 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe 3836 sethome2718.exe 3836 sethome2718.exe 3836 sethome2718.exe 3836 sethome2718.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2768 wrote to memory of 3836 2768 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe 101 PID 2768 wrote to memory of 3836 2768 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe 101 PID 2768 wrote to memory of 3836 2768 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\windows\system\sethome2718.exec:\windows\system\sethome2718.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1260 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:2720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk
Filesize1KB
MD57ea5e6af0fb75696345c6719e9a6006e
SHA15b79080d1c3527380bb4fb826e69863338c015bd
SHA25664179ff03983ba466fbce8ad80ac1304ef024a700c0a06a590f083a898e631f1
SHA5121cbc69fcbedcf317c8cc50d3f45ec28e3561af4e99a1371ece3ea1b9eaab86e7f983d723909b2e6b45c1ab0c16f9194b56693aca0363503ea1efbb83ef2d0ab8
-
Filesize
1KB
MD5d8c84e3733720328313a3d5b4e1a5ef8
SHA11acf7e8c645bcdd2f8c72b2eb36d4edd9311bde8
SHA256b82e03f3ec8cb03ff74e03637a15c25ee07ef26479403082238fb2f8d3abe04a
SHA512aad16b23e44f7003107b937eb647e5d4e83adda7d3f1ddca47cfbacdb2008b28b287989fbd9788109ab62aa3ec77b550371d762e19d8bcfe78cdc91e81b2ce54
-
Filesize
284KB
MD55231b8636a5addbe63c15745ac3ae743
SHA13fdb6ff4e553f795ce233c59703915a6f2d1b6fe
SHA256e008b6a2a2d3a2ea63b16309c678ac89aad5301e324c3ed6d8b71fd13fbc38fe
SHA5129b0f11cd9933e205d89514988fc1c8b741ea93238349bcb6ef80baa38ba5a0e2a19954674bcc76f9fe323d701bd80ac9a9e273c65656f943ceb90c4672381d92