bff511ebe1b5836258f15349bd0c90253625b4a6db0a095c8576e30ab7e6a025

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-04-2024 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe
Size

284KB
MD5

b6edec3676c48272aace0eebfffa3573
SHA1

a1c315bf34a28aa81197993a294b26e52a47a195
SHA256

bff511ebe1b5836258f15349bd0c90253625b4a6db0a095c8576e30ab7e6a025
SHA512

76a4c7b1c9e7e6d1ebc43de591caafb13dae8c08cf13f113f3200a7243dee1b97bdbde9cc55219f7b412f700701811a89939567f9dc9a930d7524051189f102e
SSDEEP

6144:klDx7mlcAZBcIdqkorDfoR/0C1fzDB9ePHSJ:klDx7mlHZo7HoRv177ePH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4212	sethome6609.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\system\sethome6609.exe	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe
File opened for modification	\??\c:\windows\system\sethome6609.exe	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/"	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1792	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe
1792	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1792	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe
1792	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe
1792	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe
1792	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe
4212	sethome6609.exe
4212	sethome6609.exe
4212	sethome6609.exe
4212	sethome6609.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 4212	1792	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe	97
PID 1792 wrote to memory of 4212	1792	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe	97
PID 1792 wrote to memory of 4212	1792	2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe	97

C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_b6edec3676c48272aace0eebfffa3573_icedid.exe"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792
- \??\c:\windows\system\sethome6609.exe
  c:\windows\system\sethome6609.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk

Filesize
1KB

MD5
af9351c796d6ce4a6bdd5cadad4e3670

SHA1
5c5c184a92c4f29ed175569a1295dc1a54d88748

SHA256
e1bfa1500209b09a0de5d6de496c8f02aae7c3be0c7eae03f95f0896004b1c05

SHA512
de0751446c0bdad9c5c438cc1cc131728f7ac1058c432eec023f8494411ea4cd02ca7dc9d1b7b13ad95f433af1636433d881840431d5c35858b6049320bd8b16

Download Submit
C:\Users\abc.lnk

Filesize
1KB

MD5
e0e65188c7e500ec4ba898882c35395a

SHA1
f37e64ae5f6d7fd6f112abca34ad76960e13be47

SHA256
09156b0b90ac7925ff155c22fa3efcca522681de482378ea950545fb5fcf68b4

SHA512
98372e4759b9511d68b8681a23b69636b9c59e15f954ae9cb811eee4fc242065042d4617c41e7ea0133825f8d2ed7ab9a78bbb7f3cea52c2c57b8d309bf3a2ff

Download Submit
\??\c:\windows\system\sethome6609.exe

Filesize
284KB

MD5
3f9db94ccdb883560d7b2f1c8800bec9

SHA1
ea1cb263d3f6c3f8f5e95b9a19914d2482d8fbe5

SHA256
ed151cccc9d9fa97998d7bfcd333a4ee926bf4b0e588730f98422e62d611cb02

SHA512
c56bc55a3bc1c095ee4165d5385cef11f278339d0d472d0a3086bf272117c21d9408a4ec537b2b08c3801a8e12db5be1bc7b75a28ba92ef755d5cac306bf77f0

Download Submit