Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20/04/2024, 06:51 UTC
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-20_f4c643c6d310c79018da4ab405e2a8b8_icedid.exe
Resource
win7-20240220-en
General
-
Target
2024-04-20_f4c643c6d310c79018da4ab405e2a8b8_icedid.exe
-
Size
284KB
-
MD5
f4c643c6d310c79018da4ab405e2a8b8
-
SHA1
2efa89b5eaab5c7c5baeb57bc811ffcb63cb74fc
-
SHA256
3e46c0a488563b5ec02f1bab132195accacae030e50324073af6ca2bab6386dd
-
SHA512
dc937e0f25b18aded9d0484c216e00740b64053ecc850c083202d73e5b02c5b8deeb1591fb803fb45ee119f87a0fcf533f159f40e6a0809f9c75e77d0a0836be
-
SSDEEP
6144:UlDx7mlcAZBcIdqkorDfoR/0C1fzDB9ePHSJ:UlDx7mlHZo7HoRv177ePH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2508 sethome5919.exe -
Loads dropped DLL 2 IoCs
pid Process 2292 2024-04-20_f4c643c6d310c79018da4ab405e2a8b8_icedid.exe 2292 2024-04-20_f4c643c6d310c79018da4ab405e2a8b8_icedid.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created \??\c:\windows\system\sethome5919.exe 2024-04-20_f4c643c6d310c79018da4ab405e2a8b8_icedid.exe File opened for modification \??\c:\windows\system\sethome5919.exe 2024-04-20_f4c643c6d310c79018da4ab405e2a8b8_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/" 2024-04-20_f4c643c6d310c79018da4ab405e2a8b8_icedid.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2292 2024-04-20_f4c643c6d310c79018da4ab405e2a8b8_icedid.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2292 2024-04-20_f4c643c6d310c79018da4ab405e2a8b8_icedid.exe 2292 2024-04-20_f4c643c6d310c79018da4ab405e2a8b8_icedid.exe 2292 2024-04-20_f4c643c6d310c79018da4ab405e2a8b8_icedid.exe 2292 2024-04-20_f4c643c6d310c79018da4ab405e2a8b8_icedid.exe 2508 sethome5919.exe 2508 sethome5919.exe 2508 sethome5919.exe 2508 sethome5919.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2292 wrote to memory of 2508 2292 2024-04-20_f4c643c6d310c79018da4ab405e2a8b8_icedid.exe 30 PID 2292 wrote to memory of 2508 2292 2024-04-20_f4c643c6d310c79018da4ab405e2a8b8_icedid.exe 30 PID 2292 wrote to memory of 2508 2292 2024-04-20_f4c643c6d310c79018da4ab405e2a8b8_icedid.exe 30 PID 2292 wrote to memory of 2508 2292 2024-04-20_f4c643c6d310c79018da4ab405e2a8b8_icedid.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-20_f4c643c6d310c79018da4ab405e2a8b8_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-20_f4c643c6d310c79018da4ab405e2a8b8_icedid.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\windows\system\sethome5919.exec:\windows\system\sethome5919.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2508
-
Network
-
Remote address:8.8.8.8:53Request1235633.3322.orgIN AResponse
-
Remote address:8.8.8.8:53Request1235633.3322.orgIN A
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
965B
MD5ffe130a8a3ea451ea42a4ce80a108d76
SHA1ae4c1412cc563faa1af9cc6168eaf37ccb7bf98a
SHA256d865c8aa544f00b7fad8b15d14713a4a818f4d1066f0fd819d3a70fc25274175
SHA5120b0115af0ac68a4f8637ae2215e17e1f0ffb904acaeec653763529ccd73f3cba6d01529b9e8037313dc96ef0f94b240c572d7efc6d52c79eb6008910e0f5d3d1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
Filesize1KB
MD5e17da7d45f12a31a9a48bebaa3f79190
SHA1672f5fcd657b65a9c61f04bfc12acbadad2f62d8
SHA256ea4f70132fa60b37b956698d067870c25d0df4032968e40e770141f024c6b0de
SHA512b0ba483695160948cefbe20f1acbd7c4824018b7c58813d023df34c30f2501ef4f64484553d74be9fac7d9eb5a81cd076c0b8d53c60e6439d3a3492c543bdd1b
-
Filesize
1KB
MD597a48f9b67cd984528746800acd38533
SHA1400e1d9ee2db8a89773c1f06d372168430b247f3
SHA256b5f52b15e5ce4004f6680c2cf3ff008e52bdf32191bbb0bdf087c5691b60f781
SHA51246605a2a7f9ffec2cd215c0d7be71d20dd3b339ea00b458c13ca2d581c91e51c852c2b335d9e8a743c89cc3090fcb4b4c8580178155bfa5230268669c5bad6e3
-
Filesize
284KB
MD51de647ad47e0669b07c58410072c0b99
SHA1fb89680ff4a8ed4012f1ca3ebfb18c4d3f67683d
SHA2560788f1932e39b89a3d7b108de475f53c1880e02089cc303c418c0b62c3b44002
SHA5121deaffcf76442181f09ef71b0c3a5ffbe7c4d95d1eae32acb0653e6e48b4833ee589f14c074e72f5b792fd7e313be33b1d2e05ecd2de785e44137fb82b41bc2e