91319687859ee046f333ae22f34e1db0fb2e837f49fb3146fa7138ac4323565a

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 01:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
Size

4.6MB
MD5

36501c4498679c0162360a75b1c373ad
SHA1

2d358c031dc089ea57895df1dfd4a3ec5f831bfd
SHA256

91319687859ee046f333ae22f34e1db0fb2e837f49fb3146fa7138ac4323565a
SHA512

19eb1397d510087ba612dfee5abfa2711f2bc18b5133be0134971edb9a12bb67518bf1ef71cf984290e2e9dbaac003ceec6f67b0ecf025b6ab7144d2ddb43715
SSDEEP

98304:dAExNn029IJBAUZLF5bY1MwNn2rqznE/BEb5huWSxq/c9lKEN1j:K4mJV70MDmzUEFeq/6wY

Score

9^/10

Malware Config

Signatures

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 7 IoCs

resource	yara_rule
behavioral2/files/0x000700000002345a-10.dat	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/2016-17-0x0000000000400000-0x000000000069B000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/2016-18-0x0000000000400000-0x000000000069B000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/2016-19-0x0000000000400000-0x000000000069B000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/2016-21-0x0000000000400000-0x000000000069B000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/2016-34-0x0000000000400000-0x000000000069B000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/2016-35-0x0000000000400000-0x000000000069B000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe

Executes dropped EXE 1 IoCs

pid	Process
4712	wmplayer.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\B:	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened (read-only)	\??\O:	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened (read-only)	\??\X:	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened (read-only)	\??\Z:	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\P:	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\N:	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\G:	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened (read-only)	\??\U:	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\J:	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened (read-only)	\??\Y:	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\M:	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened (read-only)	\??\R:	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\T:	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\H:	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\A:	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened (read-only)	\??\L:	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened (read-only)	\??\V:	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\W:	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\I:	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\Q:	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened (read-only)	\??\S:	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4712 set thread context of 2016	4712	wmplayer.exe	102

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\wmplayer\LSML\	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened for modification	C:\Program Files\Windows Media Player\wmplayer\	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File created	C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened for modification	C:\Program Files\Windows Media Player\wmplayer\LSML\PZ.w	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\RECYCLE.BIN	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
File opened for modification	C:\Windows\RECYCLE.BIN	wmplayer.exe
File opened for modification	C:\Windows\RECYCLE.BIN	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2388	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
2388	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
2388	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
2388	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
4712	wmplayer.exe
4712	wmplayer.exe
4712	wmplayer.exe
4712	wmplayer.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2388	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
2388	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
4136	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
4136	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
4712	wmplayer.exe
4712	wmplayer.exe
2016	svchost.exe
2016	svchost.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 4136	2388	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe	87
PID 2388 wrote to memory of 4136	2388	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe	87
PID 2388 wrote to memory of 4136	2388	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe	87
PID 2388 wrote to memory of 3880	2388	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe	88
PID 2388 wrote to memory of 3880	2388	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe	88
PID 2388 wrote to memory of 3880	2388	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe	88
PID 3880 wrote to memory of 4228	3880	cmd.exe	90
PID 3880 wrote to memory of 4228	3880	cmd.exe	90
PID 3880 wrote to memory of 4228	3880	cmd.exe	90
PID 2388 wrote to memory of 5072	2388	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe	94
PID 2388 wrote to memory of 5072	2388	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe	94
PID 2388 wrote to memory of 5072	2388	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe	94
PID 5072 wrote to memory of 1952	5072	cmd.exe	96
PID 5072 wrote to memory of 1952	5072	cmd.exe	96
PID 5072 wrote to memory of 1952	5072	cmd.exe	96
PID 2388 wrote to memory of 4532	2388	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe	97
PID 2388 wrote to memory of 4532	2388	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe	97
PID 2388 wrote to memory of 4532	2388	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe	97
PID 2388 wrote to memory of 4712	2388	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe	99
PID 2388 wrote to memory of 4712	2388	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe	99
PID 2388 wrote to memory of 4712	2388	2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe	99
PID 4712 wrote to memory of 4348	4712	wmplayer.exe	100
PID 4712 wrote to memory of 4348	4712	wmplayer.exe	100
PID 4712 wrote to memory of 4348	4712	wmplayer.exe	100
PID 4532 wrote to memory of 4696	4532	cmd.exe	101
PID 4532 wrote to memory of 4696	4532	cmd.exe	101
PID 4532 wrote to memory of 4696	4532	cmd.exe	101
PID 4712 wrote to memory of 2016	4712	wmplayer.exe	102
PID 4712 wrote to memory of 2016	4712	wmplayer.exe	102
PID 4712 wrote to memory of 2016	4712	wmplayer.exe	102
PID 4712 wrote to memory of 2016	4712	wmplayer.exe	102
PID 4712 wrote to memory of 2016	4712	wmplayer.exe	102
PID 4712 wrote to memory of 2016	4712	wmplayer.exe	102
PID 4712 wrote to memory of 2016	4712	wmplayer.exe	102
PID 4712 wrote to memory of 2016	4712	wmplayer.exe	102
PID 4712 wrote to memory of 2016	4712	wmplayer.exe	102

C:\Users\Admin\AppData\Local\Temp\2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-22_36501c4498679c0162360a75b1c373ad_icedid.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks /delete /tn WindowsMediaPlayer /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn WindowsMediaPlayer /f
    3⤵
    PID:4228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks /create /tn WindowsMediaPlayer /tr "\"C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe\"" /SC ONLOGON /delay 0000:03 /RL HIGHEST
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn WindowsMediaPlayer /tr "\"C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe\"" /SC ONLOGON /delay 0000:03 /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f
    3⤵
    PID:4696
- C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe
  "C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe
    3⤵
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe

Filesize
2.3MB

MD5
c7a66650905b73fb0eadd97ad381c76c

SHA1
def2c777a673b3f475e5970d6a4696e2186b4a97

SHA256
948c8a2a2e338d89b32c3a4a287c88c4108f30456bfbb09ad105bcc849f568f5

SHA512
e28f898df164e6f7cc172030783d78f6a1a13d20bd72ca7388c695497b75d4fc1d9116cb363503db372f26d0d4d4c5106d2921d44d43c6f5987dac52a43c32f3

Download Submit
C:\Windows\RECYCLE.BIN

Filesize
439B

MD5
58f28d4a2450dbf947bc76faf2dcabdb

SHA1
955861a356f1b3bfd15ec157cc987e5ba76cbb7f

SHA256
a24e9a0f5a5636574b23e49ab2d35c0318f64caca990c3ed2f5e2214a41d673e

SHA512
9ee9691215648657356854b66603fa94b32fbb1a57150fe606abf456616c834174926f5ee79575ddc7a425e0e43d68079b57f9ee467069ea5aba3722d1ec88c7

Download Submit
C:\Windows\RECYCLE.BIN

Filesize
508B

MD5
080afab1582fb2010f4a8aa180a40b46

SHA1
93e0bce79c4603b51be6c3eac88112e05bf19ee2

SHA256
90659218f8eb6e1871aed45bc3ece65a5c05a4ea0e9c836cffd982dacfaf9162

SHA512
b385bbdb7d7b986f4fd6b5ba224afeeccc6a0a0aa130a256aa9657cf61c59466e30898043762a1db5a8ee3848bcd8a1434299c7c0dfa8f71ef615567419bfe68

Download Submit
memory/2016-16-0x0000000000400000-0x000000000069B000-memory.dmp

Filesize
2.6MB

Download
memory/2016-17-0x0000000000400000-0x000000000069B000-memory.dmp

Filesize
2.6MB

Download
memory/2016-18-0x0000000000400000-0x000000000069B000-memory.dmp

Filesize
2.6MB

Download
memory/2016-19-0x0000000000400000-0x000000000069B000-memory.dmp

Filesize
2.6MB

Download
memory/2016-21-0x0000000000400000-0x000000000069B000-memory.dmp

Filesize
2.6MB

Download
memory/2016-34-0x0000000000400000-0x000000000069B000-memory.dmp

Filesize
2.6MB

Download
memory/2016-35-0x0000000000400000-0x000000000069B000-memory.dmp

Filesize
2.6MB

Download