Analysis Overview
SHA256
05d956a5aa2add3c869e8de4dbc1ca90486f2f3462518f768f0f03ec5332dda4
Threat Level: Known bad
The file 2024-05-20_65489c337359e4fc7f087522091c7296_icedid was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Detects executables calling ClearMyTracksByProcess
Detects executables packed with VMProtect.
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Detects executables calling ClearMyTracksByProcess
UPX dump on OEP (original entry point)
Detects executables packed with VMProtect.
UPX packed file
VMProtect packed file
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-20 14:47
Signatures
Detects executables calling ClearMyTracksByProcess
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 14:47
Reported
2024-05-20 14:50
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
125s
Command Line
Signatures
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-20_65489c337359e4fc7f087522091c7296_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-20_65489c337359e4fc7f087522091c7296_icedid.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-20_65489c337359e4fc7f087522091c7296_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-20_65489c337359e4fc7f087522091c7296_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-20_65489c337359e4fc7f087522091c7296_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-20_65489c337359e4fc7f087522091c7296_icedid.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-20_65489c337359e4fc7f087522091c7296_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_65489c337359e4fc7f087522091c7296_icedid.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7k7kfz.cn | udp |
| HK | 8.218.210.137:80 | 7k7kfz.cn | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 137.210.218.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/4460-0-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-1-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-25-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-23-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-41-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-47-0x00000000051F0000-0x00000000053BD000-memory.dmp
memory/4460-48-0x00000000051F0000-0x00000000053BD000-memory.dmp
memory/4460-46-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-39-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-37-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-35-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-33-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-31-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-29-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-27-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-21-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-19-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-17-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-15-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-44-0x00000000051F0000-0x00000000053BD000-memory.dmp
memory/4460-43-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-9-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-7-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-5-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-3-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-13-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-11-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-2-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-53-0x0000000005540000-0x000000000570D000-memory.dmp
memory/4460-55-0x0000000005540000-0x000000000570D000-memory.dmp
memory/4460-52-0x00000000051F0000-0x00000000053BD000-memory.dmp
memory/4460-62-0x0000000005850000-0x000000000588E000-memory.dmp
memory/4460-104-0x0000000005850000-0x000000000588E000-memory.dmp
memory/4460-67-0x0000000005850000-0x000000000588E000-memory.dmp
memory/4460-65-0x0000000005850000-0x000000000588E000-memory.dmp
memory/4460-63-0x0000000005850000-0x000000000588E000-memory.dmp
memory/4460-61-0x0000000005850000-0x000000000588E000-memory.dmp
memory/4460-60-0x0000000005540000-0x000000000570D000-memory.dmp
memory/4460-56-0x0000000005540000-0x000000000570D000-memory.dmp
memory/4460-107-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4460-108-0x0000000005540000-0x000000000570D000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 14:47
Reported
2024-05-20 14:50
Platform
win7-20240215-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Detects executables calling ClearMyTracksByProcess
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-20_65489c337359e4fc7f087522091c7296_icedid.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-20_65489c337359e4fc7f087522091c7296_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-20_65489c337359e4fc7f087522091c7296_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-20_65489c337359e4fc7f087522091c7296_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-20_65489c337359e4fc7f087522091c7296_icedid.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-20_65489c337359e4fc7f087522091c7296_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_65489c337359e4fc7f087522091c7296_icedid.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 7k7kfz.cn | udp |
| HK | 8.218.210.137:80 | 7k7kfz.cn | tcp |
Files
memory/2208-0-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-8-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-20-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-30-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-42-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-40-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-38-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-36-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-34-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-32-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-28-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-26-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-24-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-22-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-18-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-16-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-14-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-12-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-1-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-10-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-6-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-4-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-2-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2208-43-0x0000000004E40000-0x000000000500D000-memory.dmp
memory/2208-45-0x0000000000400000-0x000000000335B000-memory.dmp
memory/2208-46-0x0000000004E40000-0x000000000500D000-memory.dmp
memory/2208-51-0x0000000005520000-0x00000000056ED000-memory.dmp
memory/2208-50-0x0000000004E40000-0x000000000500D000-memory.dmp
memory/2208-53-0x0000000005520000-0x00000000056ED000-memory.dmp
memory/2208-57-0x0000000005520000-0x00000000056ED000-memory.dmp
memory/2208-64-0x0000000005830000-0x000000000586E000-memory.dmp
memory/2208-62-0x0000000005830000-0x000000000586E000-memory.dmp
memory/2208-101-0x0000000000400000-0x000000000335B000-memory.dmp
memory/2208-60-0x0000000005830000-0x000000000586E000-memory.dmp
memory/2208-102-0x0000000000400000-0x000000000335B000-memory.dmp
memory/2208-59-0x0000000005830000-0x000000000586E000-memory.dmp
memory/2208-58-0x0000000005830000-0x000000000586E000-memory.dmp
memory/2208-103-0x0000000000400000-0x000000000335B000-memory.dmp
memory/2208-105-0x0000000000400000-0x000000000335B000-memory.dmp
memory/2208-107-0x0000000000400000-0x000000000335B000-memory.dmp