Malware Analysis Report

2025-01-18 22:15

Sample ID 240430-bbb1yafh4z
Target 2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid
SHA256 1591528a480f451786565f13395b38fb06933e15843b6c1d5a283ff480f9072c
Tags
adware evasion stealer trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1591528a480f451786565f13395b38fb06933e15843b6c1d5a283ff480f9072c

Threat Level: Shows suspicious behavior

The file 2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware evasion stealer trojan

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Installs/modifies Browser Helper Object

Drops desktop.ini file(s)

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-30 00:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-30 00:57

Reported

2024-04-30 01:00

Platform

win10v2004-20240419-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\f:\$recycle.bin\s-1-5-21-17203666-93769886-2545153620-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe N/A
File opened for modification \??\f:\$recycle.bin\s-1-5-21-17203666-93769886-2545153620-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4B669E1-CDD4-2208-7A42-A045F4609710} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\SpeleologyFeline\SpeleologySpeleology.exe C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe N/A
File opened for modification C:\Program Files\SpeleologyFeline\SpeleologySpeleology.exe C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe N/A
File created C:\Program Files\LivableSpeleology\LivableNatty.exe C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe N/A
File opened for modification C:\Program Files\LivableSpeleology\LivableNatty.exe C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\RVWVLYCAVB.dll C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\0\win32\ = "C:\\Windows\\RVWVLYCAVB.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\HELPDIR\ = "C:\\Windows" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{D4B669E1-CDD4-2208-7A42-A045F4609710}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\InprocServer32\ = "C:\\Windows\\RVWVLYCAVB.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\ = "Thunder 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{2654C523-FB79-3EA1-CA99-745FAF63915A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{2654C523-FB79-3EA1-CA99-745FAF63915A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\ProgID\ = "Thunder.xunlei.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\TypeLib\ = "{2654C523-FB79-3EA1-CA99-745FAF63915A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\VersionIndependentProgID\ = "Thunder.xunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{D4B669E1-CDD4-2208-7A42-A045F4609710}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 440 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 440 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 440 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 440 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe
PID 440 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe
PID 440 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe
PID 440 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe
PID 440 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe
PID 440 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Windows\RVWVLYCAVB.dll"

C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe

"C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe"

C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe

C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe

Network

Country Destination Domain Proto
US 205.209.168.5:443 tcp
US 8.8.8.8:53 buytomer.oCry.com udp
US 8.8.8.8:53 smithewife.zyns.com udp
US 205.209.168.5:443 tcp

Files

C:\Windows\RVWVLYCAVB.dll

MD5 d056ff56318dc13d323374f50b03492f
SHA1 e7e06cfa6df17d38cfb847062c05364e4c756c0f
SHA256 2334098c7a9bfa26b9ea90f3fb06a9dc006b5d2149d1b392da144bb712c23d46
SHA512 7e149e35185a616d1dab06c79bffffd092ce851bfd3cd33fa613e34c3dc613f12f3c2168264d5d12e1384dc3b9ac58a5ff3010ff1de9e250cc4fa3c777b145ec

C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe

MD5 927476200feeb6160af47839940f10cc
SHA1 77dbd1d864d608a59fe5be14c10df1682de40486
SHA256 7f3bcfae359fce0e86d1f0b8881d204b3f4bea37b993c06d8a42d3771d92c2da
SHA512 42e9c462242865567d1b5429d45b561535c1fd732ba62ef1c773e8f446663adb5cf81bf27c3dee16458f1e56397911ba0d1b54db372f619f536e2161c1121c9f

C:\Program Files\LivableSpeleology\LivableNatty.exe

MD5 adda015e886ad13a3fd8b247b67f4870
SHA1 a08a3f749758fb712692d87dfa16171ff6aac23b
SHA256 1591528a480f451786565f13395b38fb06933e15843b6c1d5a283ff480f9072c
SHA512 9482494ee1fbbe8ced4565bf60971c0bfab681bd3f6d1304c4a405b0b3ddf30fc5ed4105cf096837461698a44d85557e11038079f0614a8048d6000a106d3301

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-30 00:57

Reported

2024-04-30 01:00

Platform

win7-20231129-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\f:\$recycle.bin\s-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe N/A
File opened for modification \??\f:\$recycle.bin\s-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D4B669E1-CDD4-2208-7A42-A045F4609710} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\RueSelf-assertion\RueEnact.exe C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe N/A
File opened for modification C:\Program Files\RueSelf-assertion\RueEnact.exe C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe N/A
File opened for modification C:\Program Files\ScoreFumes\ScoreScore.exe C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe N/A
File created C:\Program Files\ScoreFumes\ScoreScore.exe C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\RVWVLYCAVB.dll C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\0\win32\ = "C:\\Windows\\RVWVLYCAVB.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{2654C523-FB79-3EA1-CA99-745FAF63915A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{D4B669E1-CDD4-2208-7A42-A045F4609710}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\ = "Thunder 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{D4B669E1-CDD4-2208-7A42-A045F4609710}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\VersionIndependentProgID\ = "Thunder.xunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\HELPDIR\ = "C:\\Windows" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\InprocServer32\ = "C:\\Windows\\RVWVLYCAVB.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\TypeLib\ = "{2654C523-FB79-3EA1-CA99-745FAF63915A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{2654C523-FB79-3EA1-CA99-745FAF63915A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\ProgID\ = "Thunder.xunlei.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe
PID 2416 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe
PID 2416 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe
PID 2416 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe
PID 2416 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe
PID 2416 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe
PID 2416 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe
PID 2416 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-30_adda015e886ad13a3fd8b247b67f4870_icedid.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Windows\RVWVLYCAVB.dll"

C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe

"C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe"

C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe

C:\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe

Network

Country Destination Domain Proto
US 205.209.168.5:443 tcp
US 8.8.8.8:53 buytomer.oCry.com udp
US 8.8.8.8:53 smithewife.zyns.com udp
US 205.209.168.5:443 tcp

Files

C:\Windows\RVWVLYCAVB.dll

MD5 d056ff56318dc13d323374f50b03492f
SHA1 e7e06cfa6df17d38cfb847062c05364e4c756c0f
SHA256 2334098c7a9bfa26b9ea90f3fb06a9dc006b5d2149d1b392da144bb712c23d46
SHA512 7e149e35185a616d1dab06c79bffffd092ce851bfd3cd33fa613e34c3dc613f12f3c2168264d5d12e1384dc3b9ac58a5ff3010ff1de9e250cc4fa3c777b145ec

\Users\Admin\AppData\Local\Temp\IntimidateCulpable.exe

MD5 927476200feeb6160af47839940f10cc
SHA1 77dbd1d864d608a59fe5be14c10df1682de40486
SHA256 7f3bcfae359fce0e86d1f0b8881d204b3f4bea37b993c06d8a42d3771d92c2da
SHA512 42e9c462242865567d1b5429d45b561535c1fd732ba62ef1c773e8f446663adb5cf81bf27c3dee16458f1e56397911ba0d1b54db372f619f536e2161c1121c9f

C:\Program Files\RueSelf-assertion\RueEnact.exe

MD5 adda015e886ad13a3fd8b247b67f4870
SHA1 a08a3f749758fb712692d87dfa16171ff6aac23b
SHA256 1591528a480f451786565f13395b38fb06933e15843b6c1d5a283ff480f9072c
SHA512 9482494ee1fbbe8ced4565bf60971c0bfab681bd3f6d1304c4a405b0b3ddf30fc5ed4105cf096837461698a44d85557e11038079f0614a8048d6000a106d3301