85ba02d12eee2b5beafeac548abe0e76bf182eea8c421416252fab1c7796d8d1

General

Target

2024-05-23_ebca202de1aeb57174c67e9be148e554_icedid.exe
Size

719KB
MD5

ebca202de1aeb57174c67e9be148e554
SHA1

2eb6cc9ccde433d3928f265d34e85dc40b8987a2
SHA256

85ba02d12eee2b5beafeac548abe0e76bf182eea8c421416252fab1c7796d8d1
SHA512

7c8b3de52f0fc439e6fd63103041ecd2f0faaa4f0961556b68d729388b950ea43d54ec3e8bba2fad5174c17808f2f71d66ed6536c71f68d16a9a601b413e237c
SSDEEP

12288:MQt46f2XX3hG7qixwAsJW4gVj26oFkjlxYWkcZDEgsDp/dvdQWIaw:MQF3FsJW12jkjlxtkwogsDFdvdd

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

2B45.tmp

pid process

2136 2B45.tmp
Loads dropped DLL 2 IoCs

Processes:

2024-05-23_ebca202de1aeb57174c67e9be148e554_icedid.exe

pid process

1220 2024-05-23_ebca202de1aeb57174c67e9be148e554_icedid.exe
1220 2024-05-23_ebca202de1aeb57174c67e9be148e554_icedid.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2136	2B45.tmp

Drops file in System32 directory 64 IoCs

Processes:

2B45.tmp

description	ioc	process
File created	C:\Windows\SysWOW64\crtdll.dll	2B45.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr110.dll	2B45.tmp
File created	C:\Windows\SysWOW64\d3dim700.dll	2B45.tmp
File created	C:\Windows\SysWOW64\setupSNK.exe	2B45.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdva.dll	2B45.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nvd3dum.dll	2B45.tmp
File opened for modification	C:\Windows\SysWOW64\mfc100u.dll	2B45.tmp
File opened for modification	C:\Windows\SysWOW64\mfc110u.dll	2B45.tmp
File created	C:\Windows\SysWOW64\mfc40u.dll	2B45.tmp
File created	C:\Windows\SysWOW64\msjet40.dll	2B45.tmp
File opened for modification	C:\Windows\SysWOW64\atl100.dll	2B45.tmp
File created	C:\Windows\SysWOW64\audiodev.dll	2B45.tmp
File created	C:\Windows\SysWOW64\dplaysvr.exe	2B45.tmp
File created	C:\Windows\SysWOW64\msjter40.dll	2B45.tmp
File created	C:\Windows\SysWOW64\mstext40.dll	2B45.tmp
File created	C:\Windows\SysWOW64\sqlwoa.dll	2B45.tmp
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer\MediaPlayer-DLMigPlugin.dll	2B45.tmp
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	2B45.tmp
File created	C:\Windows\SysWOW64\mfc40.dll	2B45.tmp
File created	C:\Windows\SysWOW64\msjtes40.dll	2B45.tmp
File created	C:\Windows\SysWOW64\msvbvm60.dll	2B45.tmp
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	2B45.tmp
File opened for modification	C:\Windows\SysWOW64\vccorlib120.dll	2B45.tmp
File created	C:\Windows\SysWOW64\InstallShield\_isdel.exe	2B45.tmp
File created	C:\Windows\SysWOW64\d3d8.dll	2B45.tmp
File created	C:\Windows\SysWOW64\d3dxof.dll	2B45.tmp
File created	C:\Windows\SysWOW64\dmscript.dll	2B45.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr120.dll	2B45.tmp
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	2B45.tmp
File created	C:\Windows\SysWOW64\d3dim.dll	2B45.tmp
File created	C:\Windows\SysWOW64\dplayx.dll	2B45.tmp
File created	C:\Windows\SysWOW64\mswdat10.dll	2B45.tmp
File created	C:\Windows\SysWOW64\rdvgumd32.dll	2B45.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igd10umd32.dll	2B45.tmp
File opened for modification	C:\Windows\SysWOW64\MSCOMCTL.OCX	2B45.tmp
File created	C:\Windows\SysWOW64\mspbde40.dll	2B45.tmp
File created	C:\Windows\SysWOW64\msrepl40.dll	2B45.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr100.dll	2B45.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igdumd32.dll	2B45.tmp
File created	C:\Windows\SysWOW64\ir41_32.ax	2B45.tmp
File created	C:\Windows\SysWOW64\msvcrt20.dll	2B45.tmp
File created	C:\Windows\SysWOW64\msltus40.dll	2B45.tmp
File created	C:\Windows\SysWOW64\msorcl32.dll	2B45.tmp
File created	C:\Windows\SysWOW64\regedit.exe	2B45.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atidxx32.dll	2B45.tmp
File created	C:\Windows\SysWOW64\explorer.exe	2B45.tmp
File created	C:\Windows\SysWOW64\ir32_32.dll	2B45.tmp
File opened for modification	C:\Windows\SysWOW64\mfc120u.dll	2B45.tmp
File created	C:\Windows\SysWOW64\msrd2x40.dll	2B45.tmp
File created	C:\Windows\SysWOW64\sqlunirl.dll	2B45.tmp
File opened for modification	C:\Windows\SysWOW64\VBAME.DLL	2B45.tmp
File created	C:\Windows\SysWOW64\migration\MediaPlayer-DLMigPlugin.dll	2B45.tmp
File created	C:\Windows\SysWOW64\expsrv.dll	2B45.tmp
File opened for modification	C:\Windows\SysWOW64\FM20.DLL	2B45.tmp
File created	C:\Windows\SysWOW64\FXSXP32.dll	2B45.tmp
File opened for modification	C:\Windows\SysWOW64\mfc120.dll	2B45.tmp
File created	C:\Windows\SysWOW64\msrd3x40.dll	2B45.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nvwgf2um.dll	2B45.tmp
File created	C:\Windows\SysWOW64\dpwsockx.dll	2B45.tmp
File created	C:\Windows\SysWOW64\ir50_32.dll	2B45.tmp
File created	C:\Windows\SysWOW64\msexch40.dll	2B45.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr120_clr0400.dll	2B45.tmp
File created	C:\Windows\SysWOW64\msxbde40.dll	2B45.tmp
File created	C:\Windows\SysWOW64\olecli32.dll	2B45.tmp

Drops file in Program Files directory 64 IoCs

Processes:

2B45.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FSTOCK.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHEV.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEES.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7tkjp.dll	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPST32.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OMSMAIN.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7tk.dll	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIMG.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OWSCLT.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SOA.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7FR.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\DBGHELP.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OART.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\STSCOPY.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp	2B45.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FPERSON.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\TaxonomyControl.dll	2B45.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IPOLK.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GKExcel.dll	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GKPowerPoint.dll	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\MSGR3EN.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCL.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	2B45.tmp
File opened for modification	C:\Program Files (x86)\Common Files\System\MSMAPI\1033\MSMAPI32.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDCAT.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIBUtils.dll	2B45.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OSETUP.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOCF.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\oisctrl.dll	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPCORE.DLL	2B45.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPSLAX.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\THOCRAPI.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7.dll	2B45.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\MSOSV.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdate.dll	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msolui100.dll	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OARTCONV.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PTXT9.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBCONV.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLJRNL.FAE	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\PAB.SAM	2B45.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Updater.api	2B45.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll	2B45.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX9.x3d	2B45.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCH.DLL	2B45.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\vstoee.dll	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msmdlocal.dll	2B45.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EMABLT32.DLL	2B45.tmp

Drops file in Windows directory 64 IoCs

Processes:

2B45.tmp

description	ioc	process
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-dui70_31bf3856ad364e35_6.1.7600.16385_none_578b05f45f6e5c68_dui70.dll_5f097b0b	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-imageanalysis_31bf3856ad364e35_6.1.7601.17514_none_4a6381a588654ba6_dbgeng.dll_eefdd445	2B45.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	2B45.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll	2B45.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-setupapi_31bf3856ad364e35_6.1.7601.17514_none_9d700972113e2691_setupapi.dll_8d9de2e7	2B45.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-setupapi_31bf3856ad364e35_6.1.7601.17514_none_9d700972113e2691_wowreg32.exe_94fc2d06	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13_wininit.exe_7a527f28	2B45.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.VisualBasic.Activities.Compiler.dll	2B45.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-explorerframe_31bf3856ad364e35_6.1.7601.17514_none_2af7b924bed13316_explorerframe.dll_f3ae0f78	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-credui_31bf3856ad364e35_6.1.7601.17514_none_dd3eb6aced2f8d13_credui.dll_c0e5bbea	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_6.1.7601.17514_none_227e1c01642654f4_wer.dll_c8c67db6	2B45.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll	2B45.tmp
File created	C:\Windows\winsxs\amd64_atiilhag.inf_31bf3856ad364e35_6.1.7601.17514_none_03c46b205be81dfd\amdpcom32.dll	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-efs-core-library_31bf3856ad364e35_6.1.7601.17514_none_58a94d70f5cca7eb_efscore.dll_2a98ded7	2B45.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0000000010\9.0.0\ul_msvcr80.dll.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E	2B45.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2B45.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400.dll	2B45.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.7601.17514_none_c519dbeb6e585715_winhttp.dll_6cd72d6e	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-riched32_31bf3856ad364e35_6.1.7601.17514_none_9f081dc1e0ddbddb_riched20.dll_fb578f95	2B45.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.1.7601.17514_none_092d6b9141f16aca_winmgmt.exe_8f8eb7b1	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-authentication-authui_31bf3856ad364e35_6.1.7601.17514_none_0dfae70253a9fb02_authui.dll_05ff9fd2	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-cryptnet-dll_31bf3856ad364e35_6.1.7600.16385_none_16ef973d5d294eb5_cryptnet.dll_e44c577b	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-legacyhwui_31bf3856ad364e35_6.1.7600.16385_none_e24a7886a9947ebf_hdwwiz.exe_b6a1c2df	2B45.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll	2B45.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-ole-automation_31bf3856ad364e35_6.1.7601.17514_none_257ada4f467a7f64_oleaut32.dll_730e3d41	2B45.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-uxtheme_31bf3856ad364e35_6.1.7600.16385_none_0c2e36cd54a163b4_uxtheme.dll_9f6cda06	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-rasrtutils_31bf3856ad364e35_6.1.7601.17514_none_0f1cfdfc48bca8a8_rtutils.dll_243724ab	2B45.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_765b17a2c56f9155_rasmxs.dll_0c54a828	2B45.tmp
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\v4.0_4.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll	2B45.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	2B45.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.OracleClient.dll	2B45.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3d8bb37f97ba22ff_sdbinst.exe_8725e339	2B45.tmp
File created	C:\Windows\winsxs\amd64_atiilhag.inf_31bf3856ad364e35_6.1.7601.17514_none_03c46b205be81dfd\atidxx32.dll	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-htmlhelp-infotech_31bf3856ad364e35_6.1.7601.17514_none_f8ab56ff71fc562a_itircl.dll_dafa7917	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-htmlhelp-infotech_31bf3856ad364e35_6.1.7601.17514_none_f8ab56ff71fc562a_itss.dll_f5d929eb	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_114ca177b1fcad24_newdev.dll_7eb7622f	2B45.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationHostDLL_X86.dll	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-wintrust-dll_31bf3856ad364e35_6.1.7601.17514_none_f1b5a3b0f852fe0e_wintrust.dll_abec426a	2B45.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7601.17514_none_da00ad1949e715ad_cntrtextmig.dll_08675f2d	2B45.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-security-schannel_31bf3856ad364e35_6.1.7601.17514_none_8a90facfa04322fd_schannel.dll_7364eaa8	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.1.7601.17514_none_5d772bc73c15dfe5_crypt32.dll_9c3ccf73	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-ncrypt-dll_31bf3856ad364e35_6.1.7600.16385_none_5db4abb552efa414_ncrypt.dll_0f36c580	2B45.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\wpfgfx_x86.dll	2B45.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.dll	2B45.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\webengine4.dll	2B45.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationHost_v0400.dll	2B45.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e_user32.dll_55f4ed20	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-atl_31bf3856ad364e35_6.1.7600.16385_none_aaf695e9bb060258_atl.dll_0c7220db	2B45.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupEngine.dll	2B45.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\sqmapi.dll	2B45.tmp
File created	C:\Windows\winsxs\amd64_igdlh.inf_31bf3856ad364e35_6.1.7600.16385_none_f3e7064ea3c09a9a\igdumd32.dll	2B45.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-msxml30_31bf3856ad364e35_6.1.7601.17514_none_f0e8f05be1d66e78_msxml3.dll_eaee1698	2B45.tmp
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Activities.Compiler.dll	2B45.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\FileTracker.dll	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..configurationengine_31bf3856ad364e35_6.1.7601.17514_none_bb2c4d9ee6dcc35c_scesrv.dll_07b1e224	2B45.tmp
File created	C:\Windows\winsxs\amd64_igdlh.inf_31bf3856ad364e35_6.1.7600.16385_none_f3e7064ea3c09a9a\igd10umd32.dll	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-duser_31bf3856ad364e35_6.1.7600.16385_none_5a4b046c5dce176a_duser.dll_a2bd2fa9	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-font-embedding_31bf3856ad364e35_6.1.7601.17514_none_b7c78d327d35e10e_t2embed.dll_66e8486f	2B45.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.EnterpriseServices.Thunk.dll	2B45.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_42ee5aff60183c81_iscsium.dll_edf4260f	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-international-core_31bf3856ad364e35_6.1.7601.17514_none_ebb1ce7438031941_muiunattend.exe_1e11bb40	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-wmpdui_31bf3856ad364e35_6.1.7600.16385_none_5ca7e61c63366a5f_wmpdui.dll_ed891d84	2B45.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-object-picker_31bf3856ad364e35_6.1.7600.16385_none_0f6c30b96de81257_objsel.dll_9d6ddd89	2B45.tmp
File created	C:\Windows\winsxs\amd64_atiilhag.inf_31bf3856ad364e35_6.1.7601.17514_none_03c46b205be81dfd\atiumdva.dll	2B45.tmp

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

2024-05-23_ebca202de1aeb57174c67e9be148e554_icedid.exe

pid	process
1220	2024-05-23_ebca202de1aeb57174c67e9be148e554_icedid.exe
1220	2024-05-23_ebca202de1aeb57174c67e9be148e554_icedid.exe
1220	2024-05-23_ebca202de1aeb57174c67e9be148e554_icedid.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-05-23_ebca202de1aeb57174c67e9be148e554_icedid.exe

description	pid	process	target process
PID 1220 wrote to memory of 2136	1220	2024-05-23_ebca202de1aeb57174c67e9be148e554_icedid.exe	2B45.tmp
PID 1220 wrote to memory of 2136	1220	2024-05-23_ebca202de1aeb57174c67e9be148e554_icedid.exe	2B45.tmp
PID 1220 wrote to memory of 2136	1220	2024-05-23_ebca202de1aeb57174c67e9be148e554_icedid.exe	2B45.tmp
PID 1220 wrote to memory of 2136	1220	2024-05-23_ebca202de1aeb57174c67e9be148e554_icedid.exe	2B45.tmp

C:\Users\Admin\AppData\Local\Temp\2024-05-23_ebca202de1aeb57174c67e9be148e554_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_ebca202de1aeb57174c67e9be148e554_icedid.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\2B45.tmp
C:\Users\Admin\AppData\Local\Temp\2B45.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2136

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AdobeARM.log
Filesize
148B

MD5
bd30a0c8fadbfeb4ca7d05ba8a6b2806

SHA1
a1da0906396be862b4936b1181d1de4c93fa08fe

SHA256
4cb426f8f08a778bbd50d7368bf0c5d9c3edc9086d8e307b8f367fe04882aad2

SHA512
5968b2922d4aa5d888181d296a80fdafecc3f989d80d84962937aca150d815a22d13bad4fc4aa2ad831ce1f38ea5cb6def34226356c11e1f9358204890c96744

Download Submit
\Users\Admin\AppData\Local\Temp\2B45.tmp
Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
memory/1220-1-0x0000000000260000-0x00000000002AE000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads