Analysis Overview
SHA256
4fc4aaebf044b4c4dfe45737f94baf194dbc156bcc2810a87af4fc458cb15074
Threat Level: Shows suspicious behavior
The file 2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer start page
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 19:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 19:31
Reported
2024-04-03 19:33
Platform
win7-20240221-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\sethome7526.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | N/A |
Reads user/profile data of web browsers
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\sethome7526.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | N/A |
| File created | \??\c:\windows\system\sethome7526.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/" | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | N/A |
| N/A | N/A | \??\c:\windows\system\sethome7526.exe | N/A |
| N/A | N/A | \??\c:\windows\system\sethome7526.exe | N/A |
| N/A | N/A | \??\c:\windows\system\sethome7526.exe | N/A |
| N/A | N/A | \??\c:\windows\system\sethome7526.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2476 wrote to memory of 2444 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | \??\c:\windows\system\sethome7526.exe |
| PID 2476 wrote to memory of 2444 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | \??\c:\windows\system\sethome7526.exe |
| PID 2476 wrote to memory of 2444 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | \??\c:\windows\system\sethome7526.exe |
| PID 2476 wrote to memory of 2444 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | \??\c:\windows\system\sethome7526.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe"
\??\c:\windows\system\sethome7526.exe
c:\windows\system\sethome7526.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 1235633.3322.org | udp |
Files
C:\ProgramData\abc.lnk
| MD5 | 470c90674fefd449bbd566dc219bb12c |
| SHA1 | ed6bf4ba6bd3afc32683ef5834fe337118ab8b3b |
| SHA256 | 7d86c5c7290730d016b6b196e5ccbe1b93a8839f6f61911345b22c3c0828554e |
| SHA512 | affb0be3d2422a660d4a6a86e076632df313387ca24c0f0168ea644999e134f440c28b66c3f0b7c6e93f52750c0a86aaeb9d069f2c495cf97cbcd960826f8c5e |
C:\Users\abc.lnk
| MD5 | a1dc5e64fd9240773402bf2481e25ccf |
| SHA1 | da531501f138a8dbf4ffd619508e19ffe517cf7d |
| SHA256 | 5a2df053995d0ae68a0eab5f99858895a1be291702c817284b954af6f40e040f |
| SHA512 | 52e55482914b513fc41c198def5444a3eb82b61aac0c167aa58f475bdf122827ea735d50553c0f273bd081cbf52c61d415f95df6bd970f2f8ead0d4e541b80fa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
| MD5 | 28bc852174635c1177fcb3b49d7d1f16 |
| SHA1 | ad4482730dd2583acac572e02119aa5424c12f17 |
| SHA256 | 20afc74913b099cdf7aab4c2d216134a290e7a65886f9a783f67fae6b929f317 |
| SHA512 | 398f8e4a0643d3d578466a2ffaf5a6c7707cc734dd0819b05b31fcb34d14269cd4cbb758b7e29a99a250bc1b5bf9404df25a0f0bb27e2193c69620c1cee6e12b |
\Windows\system\sethome7526.exe
| MD5 | 3f4f24abf3187230201cdbdf3f0b8d60 |
| SHA1 | 44640e8805ae1e2ca9f0fb4090ec231b6692a61e |
| SHA256 | 2e3d36480d0805b515b7c1b23a979e899e29c213db09244e5831e25f95677351 |
| SHA512 | 1ce972892362ea5e11602e0f9f10feb87444c28cf37f1f7da6ca2d039a145a77e76434caac40597387a9b6ec95e538a76f76cf11ad44f30b6cdf06280dc0b1ae |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 19:31
Reported
2024-04-03 19:33
Platform
win10v2004-20240226-en
Max time kernel
137s
Max time network
158s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\sethome2718.exe | N/A |
Reads user/profile data of web browsers
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | \??\c:\windows\system\sethome2718.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | N/A |
| File opened for modification | \??\c:\windows\system\sethome2718.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/" | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | N/A |
| N/A | N/A | \??\c:\windows\system\sethome2718.exe | N/A |
| N/A | N/A | \??\c:\windows\system\sethome2718.exe | N/A |
| N/A | N/A | \??\c:\windows\system\sethome2718.exe | N/A |
| N/A | N/A | \??\c:\windows\system\sethome2718.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2768 wrote to memory of 3836 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | \??\c:\windows\system\sethome2718.exe |
| PID 2768 wrote to memory of 3836 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | \??\c:\windows\system\sethome2718.exe |
| PID 2768 wrote to memory of 3836 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe | \??\c:\windows\system\sethome2718.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-03_3ea811646f5879f610c1c28e8f9b3d94_icedid.exe"
\??\c:\windows\system\sethome2718.exe
c:\windows\system\sethome2718.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1260 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1235633.3322.org | udp |
| US | 8.8.8.8:53 | 210.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
C:\Users\abc.lnk
| MD5 | d8c84e3733720328313a3d5b4e1a5ef8 |
| SHA1 | 1acf7e8c645bcdd2f8c72b2eb36d4edd9311bde8 |
| SHA256 | b82e03f3ec8cb03ff74e03637a15c25ee07ef26479403082238fb2f8d3abe04a |
| SHA512 | aad16b23e44f7003107b937eb647e5d4e83adda7d3f1ddca47cfbacdb2008b28b287989fbd9788109ab62aa3ec77b550371d762e19d8bcfe78cdc91e81b2ce54 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk
| MD5 | 7ea5e6af0fb75696345c6719e9a6006e |
| SHA1 | 5b79080d1c3527380bb4fb826e69863338c015bd |
| SHA256 | 64179ff03983ba466fbce8ad80ac1304ef024a700c0a06a590f083a898e631f1 |
| SHA512 | 1cbc69fcbedcf317c8cc50d3f45ec28e3561af4e99a1371ece3ea1b9eaab86e7f983d723909b2e6b45c1ab0c16f9194b56693aca0363503ea1efbb83ef2d0ab8 |
\??\c:\windows\system\sethome2718.exe
| MD5 | 5231b8636a5addbe63c15745ac3ae743 |
| SHA1 | 3fdb6ff4e553f795ce233c59703915a6f2d1b6fe |
| SHA256 | e008b6a2a2d3a2ea63b16309c678ac89aad5301e324c3ed6d8b71fd13fbc38fe |
| SHA512 | 9b0f11cd9933e205d89514988fc1c8b741ea93238349bcb6ef80baa38ba5a0e2a19954674bcc76f9fe323d701bd80ac9a9e273c65656f943ceb90c4672381d92 |