68ddc4b6fd624619735a18a789acecf66ae5187722ac9dde86342f0238771b9a

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe
Size

2.8MB
MD5

a17a095fdf5e2a444f49e4d6758a3874
SHA1

f4433dca05c6893f26c0c2b61136c2e861955582
SHA256

68ddc4b6fd624619735a18a789acecf66ae5187722ac9dde86342f0238771b9a
SHA512

60f988873eaf787768d0cebc28567d2eee92e10247bd889c5d1c54151fb8375b2d90606f750622c8808c5db7c8a4e6d80698aa3121634069cbb5b12f0bfe0c00
SSDEEP

49152:Mx2HDVONcq7yLdbTChxKCnFnQXBbrtgb/iQvu0UHOa0:JML7Wd6hxvWbrtUTrUHOt

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3052	@AE4B33.tmp.exe
2560	2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe
1028	WdExt.exe
1160	launch.exe
908	wtmps.exe
2116	mscaps.exe

Loads dropped DLL 11 IoCs

pid	Process
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
3052	@AE4B33.tmp.exe
1120	cmd.exe
1120	cmd.exe
1028	WdExt.exe
1908	cmd.exe
1908	cmd.exe
540	cmd.exe
540	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Defender\\launch.exe\""	launch.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mscaps.exe	wtmps.exe
File opened for modification	C:\Windows\SysWOW64\mscaps.exe	wtmps.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3052	@AE4B33.tmp.exe
2560	2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe
1028	WdExt.exe
1160	launch.exe
1160	launch.exe
1160	launch.exe
1160	launch.exe
1160	launch.exe
1160	launch.exe
1160	launch.exe
1160	launch.exe
1160	launch.exe
1160	launch.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2560	2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe
2560	2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2560	2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe
2560	2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2560	2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe
2560	2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe
2560	2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe
2560	2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe
2560	2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2224	1932	2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe	28
PID 1932 wrote to memory of 2224	1932	2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe	28
PID 1932 wrote to memory of 2224	1932	2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe	28
PID 1932 wrote to memory of 2224	1932	2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe	28
PID 1932 wrote to memory of 2224	1932	2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe	28
PID 1932 wrote to memory of 2224	1932	2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe	28
PID 2224 wrote to memory of 3052	2224	explorer.exe	29
PID 2224 wrote to memory of 3052	2224	explorer.exe	29
PID 2224 wrote to memory of 3052	2224	explorer.exe	29
PID 2224 wrote to memory of 3052	2224	explorer.exe	29
PID 2224 wrote to memory of 2560	2224	explorer.exe	30
PID 2224 wrote to memory of 2560	2224	explorer.exe	30
PID 2224 wrote to memory of 2560	2224	explorer.exe	30
PID 2224 wrote to memory of 2560	2224	explorer.exe	30
PID 2224 wrote to memory of 2560	2224	explorer.exe	30
PID 2224 wrote to memory of 2560	2224	explorer.exe	30
PID 2224 wrote to memory of 2560	2224	explorer.exe	30
PID 3052 wrote to memory of 1120	3052	@AE4B33.tmp.exe	31
PID 3052 wrote to memory of 1120	3052	@AE4B33.tmp.exe	31
PID 3052 wrote to memory of 1120	3052	@AE4B33.tmp.exe	31
PID 3052 wrote to memory of 1120	3052	@AE4B33.tmp.exe	31
PID 3052 wrote to memory of 2764	3052	@AE4B33.tmp.exe	33
PID 3052 wrote to memory of 2764	3052	@AE4B33.tmp.exe	33
PID 3052 wrote to memory of 2764	3052	@AE4B33.tmp.exe	33
PID 3052 wrote to memory of 2764	3052	@AE4B33.tmp.exe	33
PID 1120 wrote to memory of 1028	1120	cmd.exe	35
PID 1120 wrote to memory of 1028	1120	cmd.exe	35
PID 1120 wrote to memory of 1028	1120	cmd.exe	35
PID 1120 wrote to memory of 1028	1120	cmd.exe	35
PID 1028 wrote to memory of 1908	1028	WdExt.exe	36
PID 1028 wrote to memory of 1908	1028	WdExt.exe	36
PID 1028 wrote to memory of 1908	1028	WdExt.exe	36
PID 1028 wrote to memory of 1908	1028	WdExt.exe	36
PID 1908 wrote to memory of 1160	1908	cmd.exe	38
PID 1908 wrote to memory of 1160	1908	cmd.exe	38
PID 1908 wrote to memory of 1160	1908	cmd.exe	38
PID 1908 wrote to memory of 1160	1908	cmd.exe	38
PID 1908 wrote to memory of 1160	1908	cmd.exe	38
PID 1908 wrote to memory of 1160	1908	cmd.exe	38
PID 1908 wrote to memory of 1160	1908	cmd.exe	38
PID 1160 wrote to memory of 540	1160	launch.exe	39
PID 1160 wrote to memory of 540	1160	launch.exe	39
PID 1160 wrote to memory of 540	1160	launch.exe	39
PID 1160 wrote to memory of 540	1160	launch.exe	39
PID 1160 wrote to memory of 540	1160	launch.exe	39
PID 1160 wrote to memory of 540	1160	launch.exe	39
PID 1160 wrote to memory of 540	1160	launch.exe	39
PID 540 wrote to memory of 908	540	cmd.exe	41
PID 540 wrote to memory of 908	540	cmd.exe	41
PID 540 wrote to memory of 908	540	cmd.exe	41
PID 540 wrote to memory of 908	540	cmd.exe	41
PID 540 wrote to memory of 908	540	cmd.exe	41
PID 540 wrote to memory of 908	540	cmd.exe	41
PID 540 wrote to memory of 908	540	cmd.exe	41
PID 908 wrote to memory of 2116	908	wtmps.exe	43
PID 908 wrote to memory of 2116	908	wtmps.exe	43
PID 908 wrote to memory of 2116	908	wtmps.exe	43
PID 908 wrote to memory of 2116	908	wtmps.exe	43
PID 908 wrote to memory of 2116	908	wtmps.exe	43
PID 908 wrote to memory of 2116	908	wtmps.exe	43
PID 908 wrote to memory of 2116	908	wtmps.exe	43

C:\Users\Admin\AppData\Local\Temp\2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\@AE4B33.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\@AE4B33.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1120
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1028
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 1028
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\wtmps.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wtmps.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\SysWOW64\mscaps.exe
        
        "C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe
        10⤵
        Executes dropped EXE
        
        PID:2116
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
      4⤵
      PID:2764
- - C:\Users\Admin\AppData\Local\Temp\2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-04-16_a17a095fdf5e2a444f49e4d6758a3874_icedid.exe

Filesize
1.1MB

MD5
2431fe687b06f1aaa2c7b31418d7af21

SHA1
7fc40dc7db52aa705e0863b636dd35446ea9a908

SHA256
53159103c550e6e01fafd53fa6b7f88cceb336e35d9ae5f43474b43934d222c2

SHA512
700dfc8fe3b8e55cba3ac0f9f5009ae381495e42902d8adb02492eadb2bc82dbcaaf5aefbb6d866e1cc41a3cf9eb2e4b0f8f7084dc0bbbede67e8f2b263f2196

Download Submit
C:\Users\Admin\AppData\Local\Temp\61B0.tmp

Filesize
406B

MD5
37512bcc96b2c0c0cf0ad1ed8cfae5cd

SHA1
edf7f17ce28e1c4c82207cab8ca77f2056ea545c

SHA256
27e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f

SHA512
6d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641

Download Submit
C:\Users\Admin\AppData\Local\Temp\Se5063.tmp

Filesize
896B

MD5
be49ee9d1b6da594241ce3b7432c5d64

SHA1
d81e68b9bf84258af2e6b5595c4f5c8d53b9c901

SHA256
db66d62796ae12bf459e514f27bb1a0d416d804365f44e8ec53dd760e3f7b8b8

SHA512
0c15d8d86e0dfccbcecd50b3dd5906f8f5b7c52511128d01be82b394ccb08ed85a486a101bbb5d992a688d1e62f21fda712daef1bf3a5ecba9aad152e47562f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtmps.exe

Filesize
276KB

MD5
75c1467042b38332d1ea0298f29fb592

SHA1
f92ea770c2ddb04cf0d20914578e4c482328f0f8

SHA256
3b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373

SHA512
5c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
129B

MD5
d1073c9b34d1bbd570928734aacff6a5

SHA1
78714e24e88d50e0da8da9d303bec65b2ee6d903

SHA256
b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

SHA512
4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
126B

MD5
a6717cb05e191252c2a57cf48f8f19ad

SHA1
178036920bff3cda2c3d8175a7cf0e1a8f0c5512

SHA256
eec87ff6874090f67dfaeaeb3e933db8879f11c00e08e5e73789cbbc381df56a

SHA512
fdbc367bca1f2499aead729e8d45850b67254ee52361119014205ed750690c1b0c01020675d7426310712a92befbcf6273f2eefd1ea7e2aea7ea24b074d5d98e

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
196B

MD5
ce697b9aca2ceb1f291e858946bc22ed

SHA1
ede49aa6c6c4e7575a4bc8f5d776c2f58092623d

SHA256
07ee172e648c2a405f512cbf8b86cc6e307dde309f5e42796360124acabeca61

SHA512
9de17abcf1d1b48471e644fb6b95667a4aaa55af15b4b0ab486ac3b93f33e37e5ba93a28bdfadc3d3482bb8a82d4f1c932704bdf309c9a105c934fdbe62a3e48

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat

Filesize
102B

MD5
3ca08f080a7a28416774d80552d4aa08

SHA1
0b5f0ba641204b27adac4140fd45dce4390dbf24

SHA256
4e7d460b8dc9f2c01b4c5a16fb956aced10127bc940e8039a80c6455901ea1f0

SHA512
0c64aa462ff70473ef763ec392296fe0ea59b5340c26978531a416732bc3845adf9ca7b673cb7b4ba40cc45674351206096995c43600fccbbbe64e51b6019f01

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
202KB

MD5
684c111c78f8bf6fcb5575d400e7669c

SHA1
d587894c0beffdff00ae6d358a5463ef18bcb485

SHA256
080fb4cd0b92884c89efab9161685f3ba0666cd9dab8de6c752bfe35e4e45716

SHA512
bcf748d21be502d7346f56ffc9ef13f3394d46c679d7cf17289d007e91b4ead2ec4035b3ccd5626eb378958cbb6ac371edfde8319433db9b709694595ae53e4f

Download Submit
C:\Windows\SysWOW64\mscaps.exe

Filesize
200KB

MD5
78d3c8705f8baf7d34e6a6737d1cfa18

SHA1
9f09e248a29311dbeefae9d85937b13da042a010

SHA256
2c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905

SHA512
9a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609

Download Submit
\Users\Admin\AppData\Local\Temp\@AE4B33.tmp.exe

Filesize
1.7MB

MD5
e3462de408a5ba99c050ffb8ab7b7891

SHA1
9c3cf016acc2d4f0466bba9092773d86c1e95fa6

SHA256
025f31ab8c651acc549a467e6f46601094af7479722f9ad98619b216daaf8461

SHA512
338bac420a4625ed58c2437f8a4d0010ddb25ae0b35cdfc5f6ba7e24f4bf866d29437578c0177dc50125314c54aa3804f45f218eff3563caf10b4e4094aeccaa

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe

Filesize
172KB

MD5
daac1781c9d22f5743ade0cb41feaebf

SHA1
e2549eeeea42a6892b89d354498fcaa8ffd9cac4

SHA256
6a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c

SHA512
190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Filesize
1.7MB

MD5
f53d512f2b862893f5731bcaec89d5bb

SHA1
3aa164300dc98344e8ee441aa470b4f448223af2

SHA256
3c92a23e0a8a1ddfe57ea2049ac58f0b0e4671ce81893040cd4e9950db19d524

SHA512
90e5622acc85ee3fab242378880254663c70f1fa5c9dcae7fbcc15c3622b45d7c00e43707874d0b988f8e3a9b3edbb6c0ff294df62557c0ef609a69b36cbde08

Download Submit
\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
202KB

MD5
7ff15a4f092cd4a96055ba69f903e3e9

SHA1
a3d338a38c2b92f95129814973f59446668402a8

SHA256
1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

SHA512
4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

Download Submit
memory/1160-265-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3052-17-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download