d9a821f39c7a139971a5db14603c7683b7227b597ccf58e32aecd022d04b421d

General

Target

2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exe
Size

284KB
MD5

43375d4430f8aa4e3808c2874c18ceb8
SHA1

73f25b3fed49577de9afa111421705188a48dc31
SHA256

d9a821f39c7a139971a5db14603c7683b7227b597ccf58e32aecd022d04b421d
SHA512

b102eea1824af104dacbb56d25de7474fce9aeaecfc0094660f197913babb6422270f9f465f62074bf1e601defdb6f84e76d8f317403a4b91174dfb3b4449b81
SSDEEP

6144:plDx7mlcAZBcIdqkorDfoR/0C1fzDB9ePHSJ:plDx7mlHZo7HoRv177ePH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

sethome3189.exe

pid process

2628 sethome3189.exe
Loads dropped DLL 2 IoCs

Processes:

2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exe

pid process

2188 2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exe
2188 2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2628	sethome3189.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exe

description	ioc	process
File created	\??\c:\windows\system\sethome3189.exe	2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exe
File opened for modification	\??\c:\windows\system\sethome3189.exe	2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.baiduo.org/"	2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exe

pid process

2188 2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exesethome3189.exe

pid	process
2188	2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exe
2188	2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exe
2188	2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exe
2188	2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exe
2628	sethome3189.exe
2628	sethome3189.exe
2628	sethome3189.exe
2628	sethome3189.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exe

description	pid	process	target process
PID 2188 wrote to memory of 2628	2188	2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exe	sethome3189.exe
PID 2188 wrote to memory of 2628	2188	2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exe	sethome3189.exe
PID 2188 wrote to memory of 2628	2188	2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exe	sethome3189.exe
PID 2188 wrote to memory of 2628	2188	2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exe	sethome3189.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_43375d4430f8aa4e3808c2874c18ceb8_icedid.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188

\??\c:\windows\system\sethome3189.exe
c:\windows\system\sethome3189.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2628

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\abc.lnk
Filesize
965B

MD5
ce722ef9a86c59126c4245462fc403dd

SHA1
de7168f484c16f0d5eaaaa6eb779245c8eba54c5

SHA256
6f45cadf35df8b4cfb611be0bf7ffb8078eb6a9ab51897cd594b6aad0a0e9f06

SHA512
fc6486158b9bf375172c339035292242997efbd654d0002a0e7015d66101c72f3a8a72efdcd37a0f8d9850ef18bc6aa97690e9248e486d9569beb65e034a4afc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
Filesize
1KB

MD5
7e4005160fe38daec6d307dae727b4ee

SHA1
db1b76470f8278a5c79974ab3d503d54e58d8afd

SHA256
7856bfb6f781fe5d18fb1558f17684a8e820edd62afda716b2e8547656f5b4b7

SHA512
a84a1a783ecbf08fb1872096467c4c79ee2e429330137a67704f8fe0186f5330567ee266e61f76697ef32e45f8e8f7d9732c6b38618d056bf399652966234b15

Download Submit
C:\Users\abc.lnk
Filesize
1KB

MD5
eb87efe8c0c062e31fd384fd4afa9c3f

SHA1
24dcb9b16c5b0b22a6cd6bf66944006648d1d768

SHA256
884c07982837c3b640fa09900e00d686dbc39f0f870aacc76eda2c9c6413efca

SHA512
291ab8fb55880e2ad10a0dcb0ca3b4bdd643fdb09703902f6d7ac217f54a118d5b6d2a86564e58d0cd3f050fe8e900e260678937975bc6c115b1d24d0f754088

Download Submit
\Windows\system\sethome3189.exe
Filesize
284KB

MD5
43f10b350d32fe28f2526ff5d449e6f4

SHA1
97fc6e15567521d634b8641bea42952caf1bf46f

SHA256
1b4e74904c081d488180adb5c07ded422083e6b6fa4cd67c54400ed8a53f0dad

SHA512
5790d265f203aeb7db22fa3c6760022fcb246e1f5760e088e13035affe1dbc0a2ff71bf0f10fa0816cc5335e25ae1eaae578613aee4d10fa0741d6729d610bf1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads