Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 01:01
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-23_fefe9118ac096b5300fbf413ebd47ce2_icedid.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-05-23_fefe9118ac096b5300fbf413ebd47ce2_icedid.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-05-23_fefe9118ac096b5300fbf413ebd47ce2_icedid.exe
-
Size
289KB
-
MD5
fefe9118ac096b5300fbf413ebd47ce2
-
SHA1
5c290118ebea9124b6bb0538860d97649060f294
-
SHA256
0796bc3b492e5ae388f842b73dfc36a68c0b482d4347cf0448db13f91e6bedbb
-
SHA512
00af6bf8ee84179fedac27e3cd89c2821460afddf8236de93e65f9ec33c347ef8baa48cfd0092ab84b3b9bb829e0279c5b5c7e09bb9f56c723432b04cf6c0b2e
-
SSDEEP
3072:lxUm75Fku3eKeO213SJReOqdmErj+HyHnNVIPL/+ybbiW1u46Q7qV3lU8xM:fU8Dk11CJ1qDWUNVIT/bblS9x
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
towrite.exepid process 3744 towrite.exe -
Drops file in Program Files directory 2 IoCs
Processes:
2024-05-23_fefe9118ac096b5300fbf413ebd47ce2_icedid.exedescription ioc process File created C:\Program Files\having\towrite.exe 2024-05-23_fefe9118ac096b5300fbf413ebd47ce2_icedid.exe File opened for modification C:\Program Files\having\towrite.exe 2024-05-23_fefe9118ac096b5300fbf413ebd47ce2_icedid.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 5012 3292 WerFault.exe 2024-05-23_fefe9118ac096b5300fbf413ebd47ce2_icedid.exe 1736 3292 WerFault.exe 2024-05-23_fefe9118ac096b5300fbf413ebd47ce2_icedid.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
2024-05-23_fefe9118ac096b5300fbf413ebd47ce2_icedid.exetowrite.exepid process 3292 2024-05-23_fefe9118ac096b5300fbf413ebd47ce2_icedid.exe 3292 2024-05-23_fefe9118ac096b5300fbf413ebd47ce2_icedid.exe 3292 2024-05-23_fefe9118ac096b5300fbf413ebd47ce2_icedid.exe 3292 2024-05-23_fefe9118ac096b5300fbf413ebd47ce2_icedid.exe 3744 towrite.exe 3744 towrite.exe 3744 towrite.exe 3744 towrite.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-05-23_fefe9118ac096b5300fbf413ebd47ce2_icedid.exedescription pid process target process PID 3292 wrote to memory of 3744 3292 2024-05-23_fefe9118ac096b5300fbf413ebd47ce2_icedid.exe towrite.exe PID 3292 wrote to memory of 3744 3292 2024-05-23_fefe9118ac096b5300fbf413ebd47ce2_icedid.exe towrite.exe PID 3292 wrote to memory of 3744 3292 2024-05-23_fefe9118ac096b5300fbf413ebd47ce2_icedid.exe towrite.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-23_fefe9118ac096b5300fbf413ebd47ce2_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-23_fefe9118ac096b5300fbf413ebd47ce2_icedid.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Program Files\having\towrite.exe"C:\Program Files\having\towrite.exe" "33201"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3744 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 9722⤵
- Program crash
PID:5012 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 10322⤵
- Program crash
PID:1736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3292 -ip 32921⤵PID:3496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3292 -ip 32921⤵PID:4396
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵PID:332
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
289KB
MD5eb5f22ed7e35af7264c7ea746a639953
SHA110ab82b6e2eefc87fd5d2d10f04728d93b957cfe
SHA2569757924b64f5647ceabd53d2cf045924b9732f313f510124335fe462f601d46e
SHA512a2b03cd8cb52a7da45b773e622db801d6d1e772bb5db29b6f145fdd681051495eb794d1b39197daa4c23d3ae777dbee6a8687123960079cb4668e7fc5b96ab4c