Analysis Overview
SHA256
cbc89fcc895d9aee6028ca0f4c899697901a882476aef81a92cc106a22c7bbd1
Threat Level: Known bad
The file 2024-05-26_169b1f31485f0103973555d92a17b8df_icedid was found to be: Known bad.
Malicious Activity Summary
Disables service(s)
Detects executables containing possible sandbox analysis VM usernames
Stops running service(s)
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Enumerates connected drives
Adds Run key to start application
Drops file in System32 directory
Launches sc.exe
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious behavior: LoadsDriver
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 03:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 03:45
Reported
2024-05-26 03:47
Platform
win7-20240221-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Disables service(s)
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\system.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe" | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\system.exe | C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe | N/A |
| File created | C:\Windows\SysWOW64\hrgmuctb.dll | C:\Windows\SysWOW64\system.exe | N/A |
| File created | C:\Windows\SysWOW64\avjmuctb.dll | C:\Windows\SysWOW64\system.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\AAV\CDriver.sys | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe"
C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
C:\Windows\SysWOW64\Rundll32.exe
Rundll32 C:\Windows\system32\hrgmuctb.dll Exbcute
C:\Windows\SysWOW64\net.exe
net stop WinDefend
C:\Windows\SysWOW64\net.exe
net stop MpsSvc
C:\Windows\SysWOW64\sc.exe
sc config WinDefend start= disabled
C:\Windows\SysWOW64\sc.exe
sc config MpsSvc start= disabled
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WinDefend
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
C:\Windows\SysWOW64\sc.exe
sc stop ZhuDongFangYu
C:\Windows\SysWOW64\sc.exe
sc delete ZhuDongFangYu
C:\Windows\SysWOW64\sc.exe
sc stop 360rp
C:\Windows\SysWOW64\sc.exe
sc delete 360rp
C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" stop PolicyAgent
C:\Windows\SysWOW64\Rundll32.exe
Rundll32 C:\Windows\system32\avjmuctb.dll Exbcute
C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tsh16.w3g7j.com | udp |
| FI | 193.166.255.171:8080 | tsh16.w3g7j.com | tcp |
Files
memory/2252-0-0x0000000000400000-0x000000000049C000-memory.dmp
\Windows\SysWOW64\system.exe
| MD5 | 2de43a2571b821f9cdcd84c3c23b7ce6 |
| SHA1 | ff038212807b5cc4ce85009877350a25f3495f1d |
| SHA256 | 894aa909df1f26bee14c9f66efd1e9d7a173967b83ee9040d939ce8d448062c7 |
| SHA512 | de85d63e87fcc6a8cff1cf1120b33a7b1ef2bcdc068ce24f679df12550f5471ec456de103abac73d0c96d4cbdec7ccb8f2c0f2b868fc4187e92b3c1a9b9225a7 |
C:\Windows\SysWOW64\hrgmuctb.dll
| MD5 | 9b0bdefd566a844ab82d31d41cae80eb |
| SHA1 | 11221562bee4503b003ba5f8e7be67df92093dd9 |
| SHA256 | c00834615d7d447d3f9c9803ddf8ed0ced42451170ba930146d04f18d2d880dc |
| SHA512 | 66e2fd72a13ffd8bc1ddeca7b9db3eec92f15d744bd2faa11f76f35c92367af7c6ca6cef8405d9542b7ebd193c0e14b05ec96412c5ff0349826ed4e81ad43909 |
memory/2252-16-0x0000000000260000-0x0000000000261000-memory.dmp
C:\Windows\SysWOW64\avjmuctb.dll
| MD5 | af18ffd71cf2abe49e60353b9202bf70 |
| SHA1 | fca0fb502f5d79eacfb6b3af613e9f38e30220d8 |
| SHA256 | adc6b3bbd691387198f597c9228df74138ed601804ff35d0e78e08cb8bb24aac |
| SHA512 | 3bd7f681a659fbdd20953a5f1442102d8c10a9eab55f5ea0b815a205478a81a7eaae180313a80646bc972e486f0f4b8abe338b47ea792c2242f85a6349e9bceb |
\Users\Admin\AppData\Local\Temp\34A7.tmp
| MD5 | b5eb5bd3066959611e1f7a80fd6cc172 |
| SHA1 | 6fb1532059212c840737b3f923a9c0b152c0887a |
| SHA256 | 1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc |
| SHA512 | 6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6 |
memory/2252-56-0x0000000000400000-0x000000000049C000-memory.dmp
\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe
| MD5 | 61a77d9b15c3587c37e488d15c047f1b |
| SHA1 | 0de190158dae1da0e21f87a4949bbff56bdc701b |
| SHA256 | 5c36cbc4ec7f56df3c15d71dcbfc4391a499f4b35f92966d52b418d5e19000f4 |
| SHA512 | 9f0632c0d3305e05e366131cb08586a09a54522b077b2c305b76c245f939da5774cc53ea9bf32d3cc364c113813ebe1f59b7410cdebc66727263708d71acddb2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 03:45
Reported
2024-05-26 03:47
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Disables service(s)
Detects executables containing possible sandbox analysis VM usernames
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\system.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe" | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\qekbmgaa.dll | C:\Windows\SysWOW64\system.exe | N/A |
| File created | C:\Windows\SysWOW64\system.exe | C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe | N/A |
| File created | C:\Windows\SysWOW64\qqgamgaa.dll | C:\Windows\SysWOW64\system.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\AAV\CDriver.sys | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Rundll32.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe"
C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
C:\Windows\SysWOW64\Rundll32.exe
Rundll32 C:\Windows\system32\qqgamgaa.dll Exbcute
C:\Windows\SysWOW64\net.exe
net stop WinDefend
C:\Windows\SysWOW64\net.exe
net stop MpsSvc
C:\Windows\SysWOW64\sc.exe
sc config WinDefend start= disabled
C:\Windows\SysWOW64\sc.exe
sc config MpsSvc start= disabled
C:\Windows\SysWOW64\sc.exe
sc stop ZhuDongFangYu
C:\Windows\SysWOW64\sc.exe
sc delete ZhuDongFangYu
C:\Windows\SysWOW64\sc.exe
sc stop 360rp
C:\Windows\SysWOW64\sc.exe
sc delete 360rp
C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" stop PolicyAgent
C:\Windows\SysWOW64\Rundll32.exe
Rundll32 C:\Windows\system32\qekbmgaa.dll Exbcute
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WinDefend
C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tsh16.w3g7j.com | udp |
| FI | 193.166.255.171:8080 | tsh16.w3g7j.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/2344-0-0x0000000000400000-0x000000000049C000-memory.dmp
C:\Windows\SysWOW64\system.exe
| MD5 | 2de43a2571b821f9cdcd84c3c23b7ce6 |
| SHA1 | ff038212807b5cc4ce85009877350a25f3495f1d |
| SHA256 | 894aa909df1f26bee14c9f66efd1e9d7a173967b83ee9040d939ce8d448062c7 |
| SHA512 | de85d63e87fcc6a8cff1cf1120b33a7b1ef2bcdc068ce24f679df12550f5471ec456de103abac73d0c96d4cbdec7ccb8f2c0f2b868fc4187e92b3c1a9b9225a7 |
C:\Windows\SysWOW64\qqgamgaa.dll
| MD5 | 9b0bdefd566a844ab82d31d41cae80eb |
| SHA1 | 11221562bee4503b003ba5f8e7be67df92093dd9 |
| SHA256 | c00834615d7d447d3f9c9803ddf8ed0ced42451170ba930146d04f18d2d880dc |
| SHA512 | 66e2fd72a13ffd8bc1ddeca7b9db3eec92f15d744bd2faa11f76f35c92367af7c6ca6cef8405d9542b7ebd193c0e14b05ec96412c5ff0349826ed4e81ad43909 |
memory/2344-9-0x0000000000620000-0x0000000000621000-memory.dmp
C:\Windows\SysWOW64\qekbmgaa.dll
| MD5 | af18ffd71cf2abe49e60353b9202bf70 |
| SHA1 | fca0fb502f5d79eacfb6b3af613e9f38e30220d8 |
| SHA256 | adc6b3bbd691387198f597c9228df74138ed601804ff35d0e78e08cb8bb24aac |
| SHA512 | 3bd7f681a659fbdd20953a5f1442102d8c10a9eab55f5ea0b815a205478a81a7eaae180313a80646bc972e486f0f4b8abe338b47ea792c2242f85a6349e9bceb |
C:\Users\Admin\AppData\Local\Temp\4815.tmp
| MD5 | 6c7cdd25c2cb0073306eb22aebfc663f |
| SHA1 | a1eba8ab49272b9852fe6a543677e8af36271248 |
| SHA256 | 58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705 |
| SHA512 | 17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6 |
memory/2344-29-0x0000000000400000-0x000000000049C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2024-05-26_169b1f31485f0103973555d92a17b8df_icedid.exe
| MD5 | 61a77d9b15c3587c37e488d15c047f1b |
| SHA1 | 0de190158dae1da0e21f87a4949bbff56bdc701b |
| SHA256 | 5c36cbc4ec7f56df3c15d71dcbfc4391a499f4b35f92966d52b418d5e19000f4 |
| SHA512 | 9f0632c0d3305e05e366131cb08586a09a54522b077b2c305b76c245f939da5774cc53ea9bf32d3cc364c113813ebe1f59b7410cdebc66727263708d71acddb2 |