0623ecea6152255e7138ec268afda385cc32d1fba64b41ad1a13a629f462346d

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2024 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
Size

20.4MB
MD5

392bfd765448b6b66591db5c3e7ae529
SHA1

352deb85ba8855d2f063c010433c9a8dc0f937f1
SHA256

0623ecea6152255e7138ec268afda385cc32d1fba64b41ad1a13a629f462346d
SHA512

89e66a51798562dbafe9317add260c712257d9fcdcccbb5e650165695f3ca019869b879d2cc2ee978c188f22704e65a51979becf38379ca65aac3a362a10f683
SSDEEP

196608:gCcCcdHxOwfACcCcdHxOwf4vbrx/NsqXd2VBlfDDAGmsBU:wROAQROA2nbolfXYs+

Score

8^/10

persistence ransomware

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\drivers\spo0lve.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\AppData\\Local\\Temp/2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe"	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pigdesk.bmp"	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotd.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fontconfig.properties.src	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File created	C:\Program Files\Windows Mail\wabmig.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoev.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File created	C:\Program Files\Windows Media Player\wmpconfig.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File created	C:\Program Files\Windows Media Player\setup_wm.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.properties.src	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop\WallpaperStyle = "2"	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop\TileWallpaper = "2"	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
2932	2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-11_392bfd765448b6b66591db5c3e7ae529_icedid.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Uninstall.exe

Filesize
20.4MB

MD5
d2f3cf055aef06abdf32930f6f7ceb74

SHA1
786bf07a48f90cd9c993fcf45c577d9d7f7bc6fa

SHA256
cc98d7506a989bbd2cd0673db6b72befc260be8b71edb84089f37c137adbad5d

SHA512
24b021aa1c81696925b348c7c1a35258a96ecf10b1b1f6f6bf4b3aa837e0f6ebe38365afd9925f6d2ac8e58408fa25e310da4aa582602d41fcd2e9a9b2215738

Download Submit