Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 03:45
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe
-
Size
602KB
-
MD5
169b1f31485f0103973555d92a17b8df
-
SHA1
bc28421db6ebe828041d9f06313056ff8fbcc52b
-
SHA256
cbc89fcc895d9aee6028ca0f4c899697901a882476aef81a92cc106a22c7bbd1
-
SHA512
f158e3929aabc17005af2fdca066004c8170cbec88b5bd061a72b3008749f655e153349d0f162ff27aef148108efbbe4cab367f8d9be714194b90474dd75c573
-
SSDEEP
12288:BO8oSyBu+/FNipnbfWdswjvrqFvhh72zS5:voSAu+//imWFz2i
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 5 1892 Rundll32.exe -
Executes dropped EXE 2 IoCs
pid Process 3012 system.exe 628 2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe -
Loads dropped DLL 12 IoCs
pid Process 2252 2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe 2252 2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe 2504 Rundll32.exe 2504 Rundll32.exe 2504 Rundll32.exe 2504 Rundll32.exe 1892 Rundll32.exe 1892 Rundll32.exe 1892 Rundll32.exe 1892 Rundll32.exe 1892 Rundll32.exe 2252 2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe" Rundll32.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: Rundll32.exe File opened (read-only) \??\F: Rundll32.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\system.exe 2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe File created C:\Windows\SysWOW64\hrgmuctb.dll system.exe File created C:\Windows\SysWOW64\avjmuctb.dll system.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\AAV\CDriver.sys Rundll32.exe -
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2536 sc.exe 2760 sc.exe 1328 sc.exe 2528 sc.exe 2424 sc.exe 2600 sc.exe 2512 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2504 Rundll32.exe 2504 Rundll32.exe 2504 Rundll32.exe 2504 Rundll32.exe 2504 Rundll32.exe 2504 Rundll32.exe 2504 Rundll32.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 480 Process not Found -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2252 2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 628 2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2252 wrote to memory of 3012 2252 2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe 28 PID 2252 wrote to memory of 3012 2252 2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe 28 PID 2252 wrote to memory of 3012 2252 2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe 28 PID 2252 wrote to memory of 3012 2252 2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe 28 PID 3012 wrote to memory of 2504 3012 system.exe 29 PID 3012 wrote to memory of 2504 3012 system.exe 29 PID 3012 wrote to memory of 2504 3012 system.exe 29 PID 3012 wrote to memory of 2504 3012 system.exe 29 PID 3012 wrote to memory of 2504 3012 system.exe 29 PID 3012 wrote to memory of 2504 3012 system.exe 29 PID 3012 wrote to memory of 2504 3012 system.exe 29 PID 2504 wrote to memory of 2688 2504 Rundll32.exe 30 PID 2504 wrote to memory of 2688 2504 Rundll32.exe 30 PID 2504 wrote to memory of 2688 2504 Rundll32.exe 30 PID 2504 wrote to memory of 2688 2504 Rundll32.exe 30 PID 2504 wrote to memory of 2676 2504 Rundll32.exe 31 PID 2504 wrote to memory of 2676 2504 Rundll32.exe 31 PID 2504 wrote to memory of 2676 2504 Rundll32.exe 31 PID 2504 wrote to memory of 2676 2504 Rundll32.exe 31 PID 2504 wrote to memory of 2528 2504 Rundll32.exe 34 PID 2504 wrote to memory of 2528 2504 Rundll32.exe 34 PID 2504 wrote to memory of 2528 2504 Rundll32.exe 34 PID 2504 wrote to memory of 2528 2504 Rundll32.exe 34 PID 2504 wrote to memory of 1328 2504 Rundll32.exe 35 PID 2504 wrote to memory of 1328 2504 Rundll32.exe 35 PID 2504 wrote to memory of 1328 2504 Rundll32.exe 35 PID 2504 wrote to memory of 1328 2504 Rundll32.exe 35 PID 2676 wrote to memory of 2744 2676 net.exe 39 PID 2676 wrote to memory of 2744 2676 net.exe 39 PID 2676 wrote to memory of 2744 2676 net.exe 39 PID 2676 wrote to memory of 2744 2676 net.exe 39 PID 2688 wrote to memory of 2768 2688 net.exe 38 PID 2688 wrote to memory of 2768 2688 net.exe 38 PID 2688 wrote to memory of 2768 2688 net.exe 38 PID 2688 wrote to memory of 2768 2688 net.exe 38 PID 2504 wrote to memory of 2424 2504 Rundll32.exe 40 PID 2504 wrote to memory of 2424 2504 Rundll32.exe 40 PID 2504 wrote to memory of 2424 2504 Rundll32.exe 40 PID 2504 wrote to memory of 2424 2504 Rundll32.exe 40 PID 2504 wrote to memory of 2600 2504 Rundll32.exe 41 PID 2504 wrote to memory of 2600 2504 Rundll32.exe 41 PID 2504 wrote to memory of 2600 2504 Rundll32.exe 41 PID 2504 wrote to memory of 2600 2504 Rundll32.exe 41 PID 2504 wrote to memory of 2536 2504 Rundll32.exe 42 PID 2504 wrote to memory of 2536 2504 Rundll32.exe 42 PID 2504 wrote to memory of 2536 2504 Rundll32.exe 42 PID 2504 wrote to memory of 2536 2504 Rundll32.exe 42 PID 2504 wrote to memory of 2512 2504 Rundll32.exe 44 PID 2504 wrote to memory of 2512 2504 Rundll32.exe 44 PID 2504 wrote to memory of 2512 2504 Rundll32.exe 44 PID 2504 wrote to memory of 2512 2504 Rundll32.exe 44 PID 2504 wrote to memory of 2252 2504 Rundll32.exe 27 PID 2504 wrote to memory of 2252 2504 Rundll32.exe 27 PID 2504 wrote to memory of 3012 2504 Rundll32.exe 28 PID 2504 wrote to memory of 3012 2504 Rundll32.exe 28 PID 2504 wrote to memory of 2688 2504 Rundll32.exe 30 PID 2504 wrote to memory of 2688 2504 Rundll32.exe 30 PID 2504 wrote to memory of 2676 2504 Rundll32.exe 31 PID 2504 wrote to memory of 2676 2504 Rundll32.exe 31 PID 2504 wrote to memory of 2528 2504 Rundll32.exe 34 PID 2504 wrote to memory of 2528 2504 Rundll32.exe 34 PID 2504 wrote to memory of 1328 2504 Rundll32.exe 35 PID 2504 wrote to memory of 1328 2504 Rundll32.exe 35 PID 2504 wrote to memory of 2744 2504 Rundll32.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Rundll32.exeRundll32 C:\Windows\system32\hrgmuctb.dll Exbcute3⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\net.exenet stop WinDefend4⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend5⤵PID:2768
-
-
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc4⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc5⤵PID:2744
-
-
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled4⤵
- Launches sc.exe
PID:2528
-
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled4⤵
- Launches sc.exe
PID:1328
-
-
C:\Windows\SysWOW64\sc.exesc stop ZhuDongFangYu4⤵
- Launches sc.exe
PID:2424
-
-
C:\Windows\SysWOW64\sc.exesc delete ZhuDongFangYu4⤵
- Launches sc.exe
PID:2600
-
-
C:\Windows\SysWOW64\sc.exesc stop 360rp4⤵
- Launches sc.exe
PID:2536
-
-
C:\Windows\SysWOW64\sc.exesc delete 360rp4⤵
- Launches sc.exe
PID:2512
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" stop PolicyAgent4⤵
- Launches sc.exe
PID:2760
-
-
-
C:\Windows\SysWOW64\Rundll32.exeRundll32 C:\Windows\system32\avjmuctb.dll Exbcute3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
PID:1892
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exeC:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:628
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD5af18ffd71cf2abe49e60353b9202bf70
SHA1fca0fb502f5d79eacfb6b3af613e9f38e30220d8
SHA256adc6b3bbd691387198f597c9228df74138ed601804ff35d0e78e08cb8bb24aac
SHA5123bd7f681a659fbdd20953a5f1442102d8c10a9eab55f5ea0b815a205478a81a7eaae180313a80646bc972e486f0f4b8abe338b47ea792c2242f85a6349e9bceb
-
Filesize
75KB
MD59b0bdefd566a844ab82d31d41cae80eb
SHA111221562bee4503b003ba5f8e7be67df92093dd9
SHA256c00834615d7d447d3f9c9803ddf8ed0ced42451170ba930146d04f18d2d880dc
SHA51266e2fd72a13ffd8bc1ddeca7b9db3eec92f15d744bd2faa11f76f35c92367af7c6ca6cef8405d9542b7ebd193c0e14b05ec96412c5ff0349826ed4e81ad43909
-
Filesize
454KB
MD561a77d9b15c3587c37e488d15c047f1b
SHA10de190158dae1da0e21f87a4949bbff56bdc701b
SHA2565c36cbc4ec7f56df3c15d71dcbfc4391a499f4b35f92966d52b418d5e19000f4
SHA5129f0632c0d3305e05e366131cb08586a09a54522b077b2c305b76c245f939da5774cc53ea9bf32d3cc364c113813ebe1f59b7410cdebc66727263708d71acddb2
-
Filesize
1.7MB
MD5b5eb5bd3066959611e1f7a80fd6cc172
SHA16fb1532059212c840737b3f923a9c0b152c0887a
SHA2561ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc
SHA5126c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6
-
Filesize
144KB
MD52de43a2571b821f9cdcd84c3c23b7ce6
SHA1ff038212807b5cc4ce85009877350a25f3495f1d
SHA256894aa909df1f26bee14c9f66efd1e9d7a173967b83ee9040d939ce8d448062c7
SHA512de85d63e87fcc6a8cff1cf1120b33a7b1ef2bcdc068ce24f679df12550f5471ec456de103abac73d0c96d4cbdec7ccb8f2c0f2b868fc4187e92b3c1a9b9225a7