Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 03:45
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe
-
Size
602KB
-
MD5
169b1f31485f0103973555d92a17b8df
-
SHA1
bc28421db6ebe828041d9f06313056ff8fbcc52b
-
SHA256
cbc89fcc895d9aee6028ca0f4c899697901a882476aef81a92cc106a22c7bbd1
-
SHA512
f158e3929aabc17005af2fdca066004c8170cbec88b5bd061a72b3008749f655e153349d0f162ff27aef148108efbbe4cab367f8d9be714194b90474dd75c573
-
SSDEEP
12288:BO8oSyBu+/FNipnbfWdswjvrqFvhh72zS5:voSAu+//imWFz2i
Malware Config
Signatures
-
Detects executables containing possible sandbox analysis VM usernames 1 IoCs
resource yara_rule behavioral2/files/0x00080000000233f4-24.dat INDICATOR_SUSPICIOUS_EXE_SandboxUserNames -
Blocklisted process makes network request 1 IoCs
flow pid Process 4 1528 Rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Rundll32.exe -
Executes dropped EXE 2 IoCs
pid Process 2664 system.exe 1820 2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe -
Loads dropped DLL 3 IoCs
pid Process 2868 Rundll32.exe 1528 Rundll32.exe 1528 Rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe" Rundll32.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: Rundll32.exe File opened (read-only) \??\F: Rundll32.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\qekbmgaa.dll system.exe File created C:\Windows\SysWOW64\system.exe 2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe File created C:\Windows\SysWOW64\qqgamgaa.dll system.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\AAV\CDriver.sys Rundll32.exe -
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2504 sc.exe 3044 sc.exe 4444 sc.exe 3708 sc.exe 2044 sc.exe 3584 sc.exe 4748 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2868 Rundll32.exe 2868 Rundll32.exe 2868 Rundll32.exe 2868 Rundll32.exe 2868 Rundll32.exe 2868 Rundll32.exe 2868 Rundll32.exe 2868 Rundll32.exe 2868 Rundll32.exe 2868 Rundll32.exe 2868 Rundll32.exe 2868 Rundll32.exe 2868 Rundll32.exe 2868 Rundll32.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 652 Process not Found -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2344 2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1820 2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 2344 wrote to memory of 2664 2344 2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe 85 PID 2344 wrote to memory of 2664 2344 2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe 85 PID 2344 wrote to memory of 2664 2344 2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe 85 PID 2664 wrote to memory of 2868 2664 system.exe 86 PID 2664 wrote to memory of 2868 2664 system.exe 86 PID 2664 wrote to memory of 2868 2664 system.exe 86 PID 2868 wrote to memory of 4740 2868 Rundll32.exe 87 PID 2868 wrote to memory of 4740 2868 Rundll32.exe 87 PID 2868 wrote to memory of 4740 2868 Rundll32.exe 87 PID 2868 wrote to memory of 1420 2868 Rundll32.exe 88 PID 2868 wrote to memory of 1420 2868 Rundll32.exe 88 PID 2868 wrote to memory of 1420 2868 Rundll32.exe 88 PID 2868 wrote to memory of 3708 2868 Rundll32.exe 89 PID 2868 wrote to memory of 3708 2868 Rundll32.exe 89 PID 2868 wrote to memory of 3708 2868 Rundll32.exe 89 PID 2868 wrote to memory of 4444 2868 Rundll32.exe 90 PID 2868 wrote to memory of 4444 2868 Rundll32.exe 90 PID 2868 wrote to memory of 4444 2868 Rundll32.exe 90 PID 2868 wrote to memory of 3044 2868 Rundll32.exe 91 PID 2868 wrote to memory of 3044 2868 Rundll32.exe 91 PID 2868 wrote to memory of 3044 2868 Rundll32.exe 91 PID 2868 wrote to memory of 2504 2868 Rundll32.exe 93 PID 2868 wrote to memory of 2504 2868 Rundll32.exe 93 PID 2868 wrote to memory of 2504 2868 Rundll32.exe 93 PID 2868 wrote to memory of 4748 2868 Rundll32.exe 94 PID 2868 wrote to memory of 4748 2868 Rundll32.exe 94 PID 2868 wrote to memory of 4748 2868 Rundll32.exe 94 PID 2868 wrote to memory of 3584 2868 Rundll32.exe 95 PID 2868 wrote to memory of 3584 2868 Rundll32.exe 95 PID 2868 wrote to memory of 3584 2868 Rundll32.exe 95 PID 2868 wrote to memory of 2344 2868 Rundll32.exe 84 PID 2868 wrote to memory of 2344 2868 Rundll32.exe 84 PID 2868 wrote to memory of 2664 2868 Rundll32.exe 85 PID 2868 wrote to memory of 2664 2868 Rundll32.exe 85 PID 2868 wrote to memory of 4740 2868 Rundll32.exe 87 PID 2868 wrote to memory of 4740 2868 Rundll32.exe 87 PID 2868 wrote to memory of 1420 2868 Rundll32.exe 88 PID 2868 wrote to memory of 1420 2868 Rundll32.exe 88 PID 2868 wrote to memory of 4444 2868 Rundll32.exe 90 PID 2868 wrote to memory of 4444 2868 Rundll32.exe 90 PID 2868 wrote to memory of 2044 2868 Rundll32.exe 103 PID 2868 wrote to memory of 2044 2868 Rundll32.exe 103 PID 2868 wrote to memory of 2044 2868 Rundll32.exe 103 PID 2664 wrote to memory of 1528 2664 system.exe 105 PID 2664 wrote to memory of 1528 2664 system.exe 105 PID 2664 wrote to memory of 1528 2664 system.exe 105 PID 1420 wrote to memory of 1840 1420 net.exe 106 PID 1420 wrote to memory of 1840 1420 net.exe 106 PID 1420 wrote to memory of 1840 1420 net.exe 106 PID 4740 wrote to memory of 2912 4740 net.exe 107 PID 4740 wrote to memory of 2912 4740 net.exe 107 PID 4740 wrote to memory of 2912 4740 net.exe 107 PID 2344 wrote to memory of 1820 2344 2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe 122 PID 2344 wrote to memory of 1820 2344 2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe 122 PID 2344 wrote to memory of 1820 2344 2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Rundll32.exeRundll32 C:\Windows\system32\qqgamgaa.dll Exbcute3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\net.exenet stop WinDefend4⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend5⤵PID:2912
-
-
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc4⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc5⤵PID:1840
-
-
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled4⤵
- Launches sc.exe
PID:3708
-
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled4⤵
- Launches sc.exe
PID:4444
-
-
C:\Windows\SysWOW64\sc.exesc stop ZhuDongFangYu4⤵
- Launches sc.exe
PID:3044
-
-
C:\Windows\SysWOW64\sc.exesc delete ZhuDongFangYu4⤵
- Launches sc.exe
PID:2504
-
-
C:\Windows\SysWOW64\sc.exesc stop 360rp4⤵
- Launches sc.exe
PID:4748
-
-
C:\Windows\SysWOW64\sc.exesc delete 360rp4⤵
- Launches sc.exe
PID:3584
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" stop PolicyAgent4⤵
- Launches sc.exe
PID:2044
-
-
-
C:\Windows\SysWOW64\Rundll32.exeRundll32 C:\Windows\system32\qekbmgaa.dll Exbcute3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
PID:1528
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exeC:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1820
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
454KB
MD561a77d9b15c3587c37e488d15c047f1b
SHA10de190158dae1da0e21f87a4949bbff56bdc701b
SHA2565c36cbc4ec7f56df3c15d71dcbfc4391a499f4b35f92966d52b418d5e19000f4
SHA5129f0632c0d3305e05e366131cb08586a09a54522b077b2c305b76c245f939da5774cc53ea9bf32d3cc364c113813ebe1f59b7410cdebc66727263708d71acddb2
-
Filesize
4.3MB
MD56c7cdd25c2cb0073306eb22aebfc663f
SHA1a1eba8ab49272b9852fe6a543677e8af36271248
SHA25658280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705
SHA51217344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6
-
Filesize
24KB
MD5af18ffd71cf2abe49e60353b9202bf70
SHA1fca0fb502f5d79eacfb6b3af613e9f38e30220d8
SHA256adc6b3bbd691387198f597c9228df74138ed601804ff35d0e78e08cb8bb24aac
SHA5123bd7f681a659fbdd20953a5f1442102d8c10a9eab55f5ea0b815a205478a81a7eaae180313a80646bc972e486f0f4b8abe338b47ea792c2242f85a6349e9bceb
-
Filesize
75KB
MD59b0bdefd566a844ab82d31d41cae80eb
SHA111221562bee4503b003ba5f8e7be67df92093dd9
SHA256c00834615d7d447d3f9c9803ddf8ed0ced42451170ba930146d04f18d2d880dc
SHA51266e2fd72a13ffd8bc1ddeca7b9db3eec92f15d744bd2faa11f76f35c92367af7c6ca6cef8405d9542b7ebd193c0e14b05ec96412c5ff0349826ed4e81ad43909
-
Filesize
144KB
MD52de43a2571b821f9cdcd84c3c23b7ce6
SHA1ff038212807b5cc4ce85009877350a25f3495f1d
SHA256894aa909df1f26bee14c9f66efd1e9d7a173967b83ee9040d939ce8d448062c7
SHA512de85d63e87fcc6a8cff1cf1120b33a7b1ef2bcdc068ce24f679df12550f5471ec456de103abac73d0c96d4cbdec7ccb8f2c0f2b868fc4187e92b3c1a9b9225a7