8e1be5765838f7b7753f8dba3c4d550a4687ffa5f344f1478f1fa9b5eef1413c

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_8e56793791c8cc2b4267b2af846816de_icedid.exe
Size

3.4MB
MD5

8e56793791c8cc2b4267b2af846816de
SHA1

03faf389fd98e30d5a126e66472c69c487f3d70d
SHA256

8e1be5765838f7b7753f8dba3c4d550a4687ffa5f344f1478f1fa9b5eef1413c
SHA512

f7a0b80813e4c135f6d939553e3f381890df6e6a52edcba8b15b7b4112de391a30515fe1e745aff165e4e42f35cc88ebcb3200474e676d31ba9611edc10ce50b
SSDEEP

98304:pFa2Bz9Jej5FFTVU+hjSVOdwjM5SFJspDLOMgdW:fa2Bz9Jej5FFTJhjSoAvIDLwM

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	@AE3E32.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	WdExt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	module_launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	kb50145.exe

Executes dropped EXE 6 IoCs

pid	Process
1948	@AE3E32.tmp.exe
3852	2024-04-10_8e56793791c8cc2b4267b2af846816de_icedid.exe
3532	WdExt.exe
2740	module_launcher.exe
5048	kb50145.exe
1544	injector_s.exe

Loads dropped DLL 2 IoCs

pid	Process
1948	@AE3E32.tmp.exe
3532	WdExt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Admin\\module_launcher.exe\""	module_launcher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1948	@AE3E32.tmp.exe
1948	@AE3E32.tmp.exe
3532	WdExt.exe
3532	WdExt.exe
2740	module_launcher.exe
2740	module_launcher.exe
2740	module_launcher.exe
2740	module_launcher.exe
2740	module_launcher.exe
2740	module_launcher.exe
2740	module_launcher.exe
2740	module_launcher.exe
1544	injector_s.exe
1544	injector_s.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1544	injector_s.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2840	1652	2024-04-10_8e56793791c8cc2b4267b2af846816de_icedid.exe	86
PID 1652 wrote to memory of 2840	1652	2024-04-10_8e56793791c8cc2b4267b2af846816de_icedid.exe	86
PID 1652 wrote to memory of 2840	1652	2024-04-10_8e56793791c8cc2b4267b2af846816de_icedid.exe	86
PID 1652 wrote to memory of 2840	1652	2024-04-10_8e56793791c8cc2b4267b2af846816de_icedid.exe	86
PID 1652 wrote to memory of 2840	1652	2024-04-10_8e56793791c8cc2b4267b2af846816de_icedid.exe	86
PID 2840 wrote to memory of 1948	2840	explorer.exe	89
PID 2840 wrote to memory of 1948	2840	explorer.exe	89
PID 2840 wrote to memory of 1948	2840	explorer.exe	89
PID 2840 wrote to memory of 3852	2840	explorer.exe	90
PID 2840 wrote to memory of 3852	2840	explorer.exe	90
PID 2840 wrote to memory of 3852	2840	explorer.exe	90
PID 1948 wrote to memory of 4792	1948	@AE3E32.tmp.exe	92
PID 1948 wrote to memory of 4792	1948	@AE3E32.tmp.exe	92
PID 1948 wrote to memory of 4792	1948	@AE3E32.tmp.exe	92
PID 1948 wrote to memory of 5012	1948	@AE3E32.tmp.exe	93
PID 1948 wrote to memory of 5012	1948	@AE3E32.tmp.exe	93
PID 1948 wrote to memory of 5012	1948	@AE3E32.tmp.exe	93
PID 4792 wrote to memory of 3532	4792	cmd.exe	96
PID 4792 wrote to memory of 3532	4792	cmd.exe	96
PID 4792 wrote to memory of 3532	4792	cmd.exe	96
PID 3532 wrote to memory of 4072	3532	WdExt.exe	97
PID 3532 wrote to memory of 4072	3532	WdExt.exe	97
PID 3532 wrote to memory of 4072	3532	WdExt.exe	97
PID 4072 wrote to memory of 2740	4072	cmd.exe	99
PID 4072 wrote to memory of 2740	4072	cmd.exe	99
PID 4072 wrote to memory of 2740	4072	cmd.exe	99
PID 2740 wrote to memory of 1220	2740	module_launcher.exe	100
PID 2740 wrote to memory of 1220	2740	module_launcher.exe	100
PID 2740 wrote to memory of 1220	2740	module_launcher.exe	100
PID 1220 wrote to memory of 5048	1220	cmd.exe	102
PID 1220 wrote to memory of 5048	1220	cmd.exe	102
PID 1220 wrote to memory of 5048	1220	cmd.exe	102
PID 5048 wrote to memory of 1544	5048	kb50145.exe	103
PID 5048 wrote to memory of 1544	5048	kb50145.exe	103
PID 5048 wrote to memory of 1544	5048	kb50145.exe	103
PID 5048 wrote to memory of 5076	5048	kb50145.exe	104
PID 5048 wrote to memory of 5076	5048	kb50145.exe	104
PID 5048 wrote to memory of 5076	5048	kb50145.exe	104
PID 1544 wrote to memory of 3476	1544	injector_s.exe	57

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3476
- C:\Users\Admin\AppData\Local\Temp\2024-04-10_8e56793791c8cc2b4267b2af846816de_icedid.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-04-10_8e56793791c8cc2b4267b2af846816de_icedid.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\@AE3E32.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\@AE3E32.tmp.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4792
      - C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe
        
        "C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe
        
        "C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe" /i 3532
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe
        
        "C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Users\Admin\AppData\Roaming\injector_s.exe
        
        "C:\Users\Admin\AppData\Roaming\injector_s.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a0x.bat" "C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe" "C:\Users\Admin\AppData\Local\Temp\a0x.bat""
        11⤵
        
        PID:5076
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
        5⤵
        
        PID:5012
  - - C:\Users\Admin\AppData\Local\Temp\2024-04-10_8e56793791c8cc2b4267b2af846816de_icedid.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-04-10_8e56793791c8cc2b4267b2af846816de_icedid.exe"
      4⤵
      Executes dropped EXE
      PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-04-10_8e56793791c8cc2b4267b2af846816de_icedid.exe

Filesize
2.5MB

MD5
2863179ec60a4380ae5f862cb1ce02d2

SHA1
a8b9ad60d15e1208a08766cd847f9ac492ca2192

SHA256
edee6c8513994a940fcdb73c9650e5309cb37d8de4c1d619a82563f25cbaa954

SHA512
f66a8e576d9e3a5369d122d05e1b80390a012f1a7e36c8de1a40868934e46ae98b41a7e1a09feacd189f888aefcf9ee979f2d78ae9edc273456e1447b10cdaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\@AE3E32.tmp.exe

Filesize
970KB

MD5
9e03bc14bed1bd46a4e1c20705a220a9

SHA1
cb6daccda27442836f47792cd8fd9541d3dc3394

SHA256
4ff740fb53fd6d1264d08a8e3c20c25370de9ff63d0dc0f291da44f7ee77a713

SHA512
5d00782cf02f77d81dd4b9ae790ea6559fc379c0c142d0a9a48509b18de13c3e7ead70ad8093c8e78cb4ea46bf17e83512098b275bc1aabda2691b1facd53fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp420A.tmp

Filesize
619KB

MD5
713537a3f79d36f0eaeaf8e8fba96322

SHA1
f03481707b940065e41ce008eda643eea78ffe40

SHA256
5864a4bfc200c2d9aadfa8c9540da1af036c2c712309da9d88fa901e9582b950

SHA512
0bf36c904e863d79d57b83e6e54371056b2fc0ddfa89b806519fbeb91c2ac4f9688d5c7d2619a496320d28cd008313fff61f92612dfe69c00d093917366189e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp421B.tmp

Filesize
121KB

MD5
864484e1394eaaa2e9a8a63f01c97be0

SHA1
d02a92d866232f22a8477ab99e6d27354fa310f2

SHA256
e1a25be30164e6aca9bf97454be217f2b49e6f65fa4d3ac710637f6ef8a213a0

SHA512
16919202ee3626ab829070dbe2f43bb5caa9bbaebf63f5de3fb9930825f71edd074855cac6349241705d6bf979203e0eb7f9df2c25d2bfab95ee210ac350568c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp422B.tmp

Filesize
131KB

MD5
ebc999a1ded4f76d648431350fe423bb

SHA1
b1a4abcb00364ede9185209d41e7e2532cd559a0

SHA256
ba6a7655e3860d01201ffbce06398dff71fd97acff99e95ac8cd2a3e3161d1c0

SHA512
aba5a33667e01857650f74ea5dd461c11a0ff121c22e08ab058b950b11b315119b00acaf0aaf7401a668a4131daf73d07717002c6dd55570a79ad5ba526e5ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp423C.tmp

Filesize
99KB

MD5
88c497ace0db30cc47fc259b7806ad8f

SHA1
a486cedff64cb60e62ffbefd25ee5df79e6a9714

SHA256
4a8ea33966592b337d31802f55ea7f901caec037b5b1bf18a9e2b6b044915781

SHA512
1748700a158b8f999658eb532e5d4ed80c844b21c47d3bf0d8682de22be4b47a424350196ee3d0538d71a67aca906b781282eb3192031e93e834f417b8134346

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp423D.tmp

Filesize
172KB

MD5
b00a14a9f3b2c8ac19ada6992517ff77

SHA1
8469aa684cf86fcf627c828d40a9dc9688187173

SHA256
015caba690febdd5403ad86a04bb9763db7408a3b3f0be85f9c364580dac4649

SHA512
fea53117dc2efc23af186fae9ea8abc6ed15a516a820d62a5d312525447b0495fc0d81acf540017422427ea45754298fb7e334c9db8c47d49c4ce741f85bbf2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp423E.tmp

Filesize
76KB

MD5
ccf05ce9abe252cc7d68b2ff8ab6cfb7

SHA1
8739e9e007b62d9434bd5d06d5d312d255496a00

SHA256
a1d30db63fcb26cfcc1e128f4b840ac1c822267a8f17de45cc2e2fc19147e41f

SHA512
e2e56fa332b895fc54fd9a6ccd71952f11237f18d66b2342a47c7b707a65743d3f8b84efa5988257e657623cb748cb196e36a8839fb1cd5f600cb30623b2a29b

Download Submit
C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe

Filesize
971KB

MD5
a3b664b3ffc2136292832bdcd6c5b0d7

SHA1
7fa885215d69fb6f5e9a7e6f81f38dd57f4cc5a2

SHA256
1bf751877003001474744d0d94e8e8f3582fdff2cdf3630ca30bda04ba1275d2

SHA512
a3daecee286d7a71b5e7855a0e9d1aa4d90b9b2259c341ad1e4c1b590fb6449601ee367796588636d300d2f4352239b1cce6ab6d6a50bc14388dd05f8ce90014

Download Submit
C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe

Filesize
76KB

MD5
8bf335774fbb62bbe1de03921dfe047a

SHA1
24fc750a20aebb52f23e84264d201f458106d95d

SHA256
048655d212b269073107e4636125ceeea262acce1d364fc512a0cc8f4783dcf7

SHA512
aed95f1c37cc99cee23d250e395a80c9c45c7c1c017ec7baef2af860711dbd5b540bf077d372e94582c9758961063f4c166a03fffce3b17e7fb468ce174b7aea

Download Submit
C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe

Filesize
172KB

MD5
6ff3155e619e2c601db536c88741e094

SHA1
c71bfc0a9b11db33c801035e06d31a03e2901dd0

SHA256
b4febd6c6fc42b7d86b575f6c44f0d49fbe9ec02e98d3be00cb26b3e32a3a6d1

SHA512
8a3047ff46833003464f0979702a4b4f0cf3998c3e4aa865b2f61cfd377689eae706fb9017c2ca97a2fee7f65d6c17c73ae37e86940a6aefdd06d8f0281bcebc

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
105B

MD5
902a1098f800859502aec4eac3026495

SHA1
a6b209e9aa15087670e830af5de8179b31abc897

SHA256
ff5e923c453d3d61a7989b2b0f978b0bba924a7052667311c9eed54852a20cfd

SHA512
cf7f0197c78f9c7db81068fbc702596a00c5d7c8280751641965917056c0e71265a3a89f3daf6a3600faa13034b54fbedea50ea583723abbfc286f2e7e79fe77

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
122B

MD5
849207b58ec43b6e03f8831a15c7d268

SHA1
88c216a4ad149600b7b692bad852803c91dd5e94

SHA256
a836fc788b75d062b4aca1f647123d10afe30f1d7ea7838af66ec57e429e32f9

SHA512
9168819195211ca4a2f7651b6219f9183df022251f6e24b7380724ce8669a3bb86dac79f3a50d5edaa7460d76af942df964dc83a06189ced5b2d2d50cdb63c2d

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
196B

MD5
890a64dcf3b66ba31b728844e98cade5

SHA1
cbd7654b6937d35eb41659dcebdd1c0065193289

SHA256
e4d47359eb18e1a0dd8a5c52a381d5eb4af0ceeaf4a3754eb60281f24b0dd609

SHA512
1b02e8777dace4a8b0475ac5cb0d6e405432e78b608a5007ec6c46186b7a7058a82389cf6bed0bd6381f3021ace7198be5a9b8c7fc3f0cf507ad2c9872ec6643

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat

Filesize
107B

MD5
85eb3280f9675f88d00040cbea92277f

SHA1
2fece0a30b2153b4a9fee72fe5a637dee1967a2f

SHA256
bf1b95975082845d3d9d8948999d69d666dfe50d741a36cdf81fa180fa4c777b

SHA512
2641b1dfa67216ed86d0394dbc6dd78f6124978c23673c73e4e1da66a93f98364acafc13c3df017fab682ed3d9a2c993f3d9bb562e07b7a1b0a01576e1381298

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
388KB

MD5
8d7db101a7211fe3309dc4dc8cf2dd0a

SHA1
6c2781eadf53b3742d16dab2f164baf813f7ac85

SHA256
93db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a

SHA512
8b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83

Download Submit
C:\Users\Admin\AppData\Roaming\injector_s.exe

Filesize
188KB

MD5
1d1491e1759c1e39bf99a5df90311db3

SHA1
8bd6faed091bb00f879ef379715461130493e97f

SHA256
22c5c5bcb256c1dcaead463c92a70107ba1bac40564fe1e7d46594c6a3936778

SHA512
ac6ca48acbd288011849e55b0c66faf9ead479e39dc2deaecc7ad998e764f02a1807bb9227e03f12ce1a0b1f5c5b3072c3b86b5bae336e84d95d7a3e42cf5a1e

Download Submit
memory/1948-14-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2840-1-0x0000000000440000-0x0000000000873000-memory.dmp

Filesize
4.2MB

Download