0b17037c872ad338e70bdec5593ef2d0af673bd8b1cac17adb51dc996a4083cc

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
Size

10.2MB
MD5

876eae7a13756dfb6df30099bf9569dc
SHA1

cd7fb896bb30a2f77246fcb060121aacb65528da
SHA256

0b17037c872ad338e70bdec5593ef2d0af673bd8b1cac17adb51dc996a4083cc
SHA512

0ba53fb6ff2984d1ebb498da58f124d42b20aa6153412cbed8d20f1ed47f64dd1a7c20455f146a0275e14c1ef6da008b0ad993825a2b65c7e1421139564c201c
SSDEEP

98304:Xe5x6c1OwoCSG8kM8LNhS9Yw8OCe5x6c1OwoCSG8kM8LNhS9Yw8OV:wKCSL8RwzJKCSL8RwzV

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\drivers\spo0lve.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\AppData\\Local\\Temp/2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe"	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File created	C:\Program Files\Windows Media Player\wmpconfig.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File created	C:\Program Files\Windows Defender\MpCmdRun.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File created	C:\Program Files\Windows Mail\wab.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File created	C:\Program Files\Windows Media Player\wmpenc.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File created	C:\Program Files\Windows Mail\WinMail.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File created	C:\Program Files\Windows Media Player\wmprph.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File created	C:\Program Files\Windows Media Player\wmplayer.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
2244	2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-15_876eae7a13756dfb6df30099bf9569dc_icedid.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Uninstall.exe

Filesize
10.2MB

MD5
c449b0abc9932cc5809c4f5e303a0cf9

SHA1
908bbcb102d80d54fb415c2ba7d192c07e94824a

SHA256
af80a1be03216f132d82bcedd0e0843be518e76a3bb6963beadce32114fe5f43

SHA512
69d41ad490abd653cc4bd99e5c73f9b668dbd101a7409a6b7f95be6aa46cf8c9fd4747c27c67adb1f172bc0a36c5e5abb7cf4cd7d327b8b4fca2ac571e01e9b8

Download Submit