Malware Analysis Report

2025-08-05 10:00

Sample ID 240403-x8fw2sae2v
Target 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid
SHA256 4fc4aaebf044b4c4dfe45737f94baf194dbc156bcc2810a87af4fc458cb15074
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4fc4aaebf044b4c4dfe45737f94baf194dbc156bcc2810a87af4fc458cb15074

Threat Level: Shows suspicious behavior

The file 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer start page

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 19:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 19:31

Reported

2024-04-03 19:33

Platform

win7-20240221-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\sethome7526.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\sethome7526.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe N/A
File created \??\c:\windows\system\sethome7526.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/" C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe"

\??\c:\windows\system\sethome7526.exe

c:\windows\system\sethome7526.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 1235633.3322.org udp

Files

C:\ProgramData\abc.lnk

MD5 470c90674fefd449bbd566dc219bb12c
SHA1 ed6bf4ba6bd3afc32683ef5834fe337118ab8b3b
SHA256 7d86c5c7290730d016b6b196e5ccbe1b93a8839f6f61911345b22c3c0828554e
SHA512 affb0be3d2422a660d4a6a86e076632df313387ca24c0f0168ea644999e134f440c28b66c3f0b7c6e93f52750c0a86aaeb9d069f2c495cf97cbcd960826f8c5e

C:\Users\abc.lnk

MD5 a1dc5e64fd9240773402bf2481e25ccf
SHA1 da531501f138a8dbf4ffd619508e19ffe517cf7d
SHA256 5a2df053995d0ae68a0eab5f99858895a1be291702c817284b954af6f40e040f
SHA512 52e55482914b513fc41c198def5444a3eb82b61aac0c167aa58f475bdf122827ea735d50553c0f273bd081cbf52c61d415f95df6bd970f2f8ead0d4e541b80fa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk

MD5 28bc852174635c1177fcb3b49d7d1f16
SHA1 ad4482730dd2583acac572e02119aa5424c12f17
SHA256 20afc74913b099cdf7aab4c2d216134a290e7a65886f9a783f67fae6b929f317
SHA512 398f8e4a0643d3d578466a2ffaf5a6c7707cc734dd0819b05b31fcb34d14269cd4cbb758b7e29a99a250bc1b5bf9404df25a0f0bb27e2193c69620c1cee6e12b

\Windows\system\sethome7526.exe

MD5 3f4f24abf3187230201cdbdf3f0b8d60
SHA1 44640e8805ae1e2ca9f0fb4090ec231b6692a61e
SHA256 2e3d36480d0805b515b7c1b23a979e899e29c213db09244e5831e25f95677351
SHA512 1ce972892362ea5e11602e0f9f10feb87444c28cf37f1f7da6ca2d039a145a77e76434caac40597387a9b6ec95e538a76f76cf11ad44f30b6cdf06280dc0b1ae

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 19:31

Reported

2024-04-03 19:33

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\sethome2718.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\windows\system\sethome2718.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe N/A
File opened for modification \??\c:\windows\system\sethome2718.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/" C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe"

\??\c:\windows\system\sethome2718.exe

c:\windows\system\sethome2718.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1260 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 1235633.3322.org udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 5.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

C:\Users\abc.lnk

MD5 d8c84e3733720328313a3d5b4e1a5ef8
SHA1 1acf7e8c645bcdd2f8c72b2eb36d4edd9311bde8
SHA256 b82e03f3ec8cb03ff74e03637a15c25ee07ef26479403082238fb2f8d3abe04a
SHA512 aad16b23e44f7003107b937eb647e5d4e83adda7d3f1ddca47cfbacdb2008b28b287989fbd9788109ab62aa3ec77b550371d762e19d8bcfe78cdc91e81b2ce54

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk

MD5 7ea5e6af0fb75696345c6719e9a6006e
SHA1 5b79080d1c3527380bb4fb826e69863338c015bd
SHA256 64179ff03983ba466fbce8ad80ac1304ef024a700c0a06a590f083a898e631f1
SHA512 1cbc69fcbedcf317c8cc50d3f45ec28e3561af4e99a1371ece3ea1b9eaab86e7f983d723909b2e6b45c1ab0c16f9194b56693aca0363503ea1efbb83ef2d0ab8

\??\c:\windows\system\sethome2718.exe

MD5 5231b8636a5addbe63c15745ac3ae743
SHA1 3fdb6ff4e553f795ce233c59703915a6f2d1b6fe
SHA256 e008b6a2a2d3a2ea63b16309c678ac89aad5301e324c3ed6d8b71fd13fbc38fe
SHA512 9b0f11cd9933e205d89514988fc1c8b741ea93238349bcb6ef80baa38ba5a0e2a19954674bcc76f9fe323d701bd80ac9a9e273c65656f943ceb90c4672381d92