bff511ebe1b5836258f15349bd0c90253625b4a6db0a095c8576e30ab7e6a025

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/04/2024, 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe
Size

284KB
MD5

b6edec3676c48272aace0eebfffa3573
SHA1

a1c315bf34a28aa81197993a294b26e52a47a195
SHA256

bff511ebe1b5836258f15349bd0c90253625b4a6db0a095c8576e30ab7e6a025
SHA512

76a4c7b1c9e7e6d1ebc43de591caafb13dae8c08cf13f113f3200a7243dee1b97bdbde9cc55219f7b412f700701811a89939567f9dc9a930d7524051189f102e
SSDEEP

6144:klDx7mlcAZBcIdqkorDfoR/0C1fzDB9ePHSJ:klDx7mlHZo7HoRv177ePH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2908	sethome3079.exe

Loads dropped DLL 2 IoCs

pid	Process
2072	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe
2072	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\system\sethome3079.exe	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe
File opened for modification	\??\c:\windows\system\sethome3079.exe	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/"	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2072	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2072	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe
2072	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe
2072	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe
2072	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe
2908	sethome3079.exe
2908	sethome3079.exe
2908	sethome3079.exe
2908	sethome3079.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2908	2072	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe	30
PID 2072 wrote to memory of 2908	2072	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe	30
PID 2072 wrote to memory of 2908	2072	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe	30
PID 2072 wrote to memory of 2908	2072	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072
- \??\c:\windows\system\sethome3079.exe
  c:\windows\system\sethome3079.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\abc.lnk

Filesize
965B

MD5
01efbbd4786ad963d1661b7348cde92d

SHA1
80ad7d7ffb9d44a1090dfd815ce28e749b941715

SHA256
d58c8ca40e52afc97df5aa2788edf5acf13a26d79ada22e6a34b46f17fc7fe3f

SHA512
a191e2e9852dfbf08ca9045ba23068398280f59a38c2479389266dc0c42908913982dfbc753ef2cf848185bb091b85965cb1b66169695dbd4876d7af47be53ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk

Filesize
1KB

MD5
960222e44ed24baec5ab0933a3628fe8

SHA1
88eecc03d7068a89a4910207be9c3ff34eb40148

SHA256
20c8f24b0a4dd23b6364675b64199ee8a318b8325dedb96a3280cfc4cfa485b5

SHA512
10c127a4e1b77a5204d1712d7e4e3c70d448343493dc2cd9b3dd8d6796133790ea63bcadf4fd1cc7f8a952216ba8d0cc3de3c403a2655e351db4432823007722

Download Submit
C:\Users\abc.lnk

Filesize
1KB

MD5
2ade9bf687f24cd15c14ff4b394d61bf

SHA1
6e908c41934c8ec1037aee6911813396f02ffc6f

SHA256
eaca14500e7c68dfaa6c3d47dea6a80dc9f9a4e5f943204d733b347debe75aa6

SHA512
4c8dc0748bcec1c6a9ff4f266e258501f1d1045fd1478af49bfa199d4ef533f7da8d189006418bb90d22249a986fe3058c283ccd863cce87f56020544438ba48

Download Submit
\Windows\system\sethome3079.exe

Filesize
284KB

MD5
7b79bf9917c18ce66cd022f721b6cb98

SHA1
48424f0895a20aa4a63ec29d52452a34154c9f65

SHA256
f9e05c1198165f9de0c2ada3839af32e192099db9bdc2d35ef2d9826f533dd30

SHA512
1c242421832d691c9adb1d43eb489eab4ebc864c86816de4f271720eac4772fa51536ffd6ac891acc609f18df622965928917ef409cd460c6aa126dd2c1c8004

Download Submit