c76ee321dc91e2224276d0477fdc66ddeec7447357017848cde3499cdee3cfc6

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_a4093f09936de9cc3103334e8e5c203e_icedid.exe
Size

284KB
MD5

a4093f09936de9cc3103334e8e5c203e
SHA1

bfee8f68b93fa205715bcbc1258af05da4387a7c
SHA256

c76ee321dc91e2224276d0477fdc66ddeec7447357017848cde3499cdee3cfc6
SHA512

4eaff9b91c096a7f245735972b977e3349b2f5d432de99e907154662cdee25eb128286ea14044dce02c19abac28405dd08d1339abece54d23eb6ccf27c1cb79d
SSDEEP

6144:BlDx7mlcAZBcIdqkorDfoR/0C1fzDB9ePHSJ:BlDx7mlHZo7HoRv177ePH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3012	sethome2078.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\system\sethome2078.exe	2024-04-26_a4093f09936de9cc3103334e8e5c203e_icedid.exe
File opened for modification	\??\c:\windows\system\sethome2078.exe	2024-04-26_a4093f09936de9cc3103334e8e5c203e_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/"	2024-04-26_a4093f09936de9cc3103334e8e5c203e_icedid.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1648	2024-04-26_a4093f09936de9cc3103334e8e5c203e_icedid.exe
1648	2024-04-26_a4093f09936de9cc3103334e8e5c203e_icedid.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1648	2024-04-26_a4093f09936de9cc3103334e8e5c203e_icedid.exe
1648	2024-04-26_a4093f09936de9cc3103334e8e5c203e_icedid.exe
1648	2024-04-26_a4093f09936de9cc3103334e8e5c203e_icedid.exe
1648	2024-04-26_a4093f09936de9cc3103334e8e5c203e_icedid.exe
3012	sethome2078.exe
3012	sethome2078.exe
3012	sethome2078.exe
3012	sethome2078.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 3012	1648	2024-04-26_a4093f09936de9cc3103334e8e5c203e_icedid.exe	89
PID 1648 wrote to memory of 3012	1648	2024-04-26_a4093f09936de9cc3103334e8e5c203e_icedid.exe	89
PID 1648 wrote to memory of 3012	1648	2024-04-26_a4093f09936de9cc3103334e8e5c203e_icedid.exe	89

C:\Users\Admin\AppData\Local\Temp\2024-04-26_a4093f09936de9cc3103334e8e5c203e_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_a4093f09936de9cc3103334e8e5c203e_icedid.exe"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648
- \??\c:\windows\system\sethome2078.exe
  c:\windows\system\sethome2078.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk

Filesize
1KB

MD5
6073cf41b05b077ca3898c8b94ba2b9e

SHA1
de719e43da97fd8cf3b66f9c5fc0bd1e45d47381

SHA256
84843bf0483bb0f1e076aa96cfe6c4e6e850e8aaa3a0facb481431acff7c4d4f

SHA512
6a7833011b0bd2c6c37d395aaa15516759c1b24a15461314213eea2ddc2e8f29239a189065c5300f9d731d78bb3fe4d78742131e54603c2dfadc384aa2a65d2c

Download Submit
C:\Users\abc.lnk

Filesize
1KB

MD5
35374cf499ae2812f41910dbb84123ee

SHA1
c844624095ff14fe41d73685e1122a7646d1b5f4

SHA256
a519e5889c3f232aa3ffcf90153ceb6ea1ab8c69de68a8ba4dabe5aca71b606a

SHA512
0eb4217f4cb1289332beb514eb50efd4811899d55b289f6717389789ab0851dad7ae06cdc4d55e8081bda0fd74591cc8e3c67194b2de814281c3c360f8a066bf

Download Submit
C:\Windows\System\sethome2078.exe

Filesize
284KB

MD5
b5193c9301e19145bb48ea0f1f0e9e66

SHA1
9f1eff8c63d6f8854df04efb32b0125c3472d4b6

SHA256
069c389ec582ef5f09e1230394aefb6a4c4a885366766844245b0d18bf45a923

SHA512
a41c9b94ba0162b9ae21f8740fbd7eaa94016a0951ffcceca44e114a5597176496c4e94bbaa332158da029b54a00a5b34e9730ba50551fe885f833ea1b77f2ad

Download Submit