786ab705663654c3f4cd173567008518cb24fa3e09d5ed9f0f65b2ff449ccd82

General

Target

2024-05-26_fddc3a7866dff5f4a14031eab2ba4ce3_icedid.exe
Size

19.4MB
MD5

fddc3a7866dff5f4a14031eab2ba4ce3
SHA1

78f7ce27d8ad5a5d903dd8e80a6d0fdd8c9c726b
SHA256

786ab705663654c3f4cd173567008518cb24fa3e09d5ed9f0f65b2ff449ccd82
SHA512

25a47ff39c2680bb5b39651f4812642b0cc3d0ae9155b5dc84dc2939e90c1e09b97336707f46fd15932a7730e0e7688b0209c114a8fd1fe9542b3563562f7c88
SSDEEP

393216:6NoiEpT6ec9rARDnsflCQIGD4O0vtLpY0j9:JiEpGec/41vtLp/B

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2424	download.exe
348	maria2c.exe

Loads dropped DLL 4 IoCs

pid	Process
2008	2024-05-26_fddc3a7866dff5f4a14031eab2ba4ce3_icedid.exe
2424	download.exe
2424	download.exe
1148	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2424	download.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2424	download.exe
2424	download.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2424	download.exe
2424	download.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2008	2024-05-26_fddc3a7866dff5f4a14031eab2ba4ce3_icedid.exe
2008	2024-05-26_fddc3a7866dff5f4a14031eab2ba4ce3_icedid.exe
2424	download.exe
2424	download.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2424	2008	2024-05-26_fddc3a7866dff5f4a14031eab2ba4ce3_icedid.exe	28
PID 2008 wrote to memory of 2424	2008	2024-05-26_fddc3a7866dff5f4a14031eab2ba4ce3_icedid.exe	28
PID 2008 wrote to memory of 2424	2008	2024-05-26_fddc3a7866dff5f4a14031eab2ba4ce3_icedid.exe	28
PID 2008 wrote to memory of 2424	2008	2024-05-26_fddc3a7866dff5f4a14031eab2ba4ce3_icedid.exe	28
PID 2424 wrote to memory of 348	2424	download.exe	32
PID 2424 wrote to memory of 348	2424	download.exe	32
PID 2424 wrote to memory of 348	2424	download.exe	32
PID 2424 wrote to memory of 348	2424	download.exe	32

C:\Users\Admin\AppData\Local\Temp\2024-05-26_fddc3a7866dff5f4a14031eab2ba4ce3_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-26_fddc3a7866dff5f4a14031eab2ba4ce3_icedid.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\download.exe
  admin 525AA43CA31F11C49B419CF418E8308971837B4E8756A682E28A3A3AE95EF4C71356436679DF792AD5738D8F970DB660F5E86CDB80BDDF3E user
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\maria2c.exe
    "C:\Users\Admin\AppData\Local\Temp\maria2c.exe" --conf-path=C:\Users\Admin\AppData\Local\Temp\Mydm.conf #--save-session=C:\Users\Admin\AppData\Local\Temp\Mydm.session --input-file=C:\Users\Admin\AppData\Local\Temp\Mydm.session --rpc-listen-port=7022 --listen-port=7055 --dht-listen-port=7033 --enable-rpc=true --rpc-allow-origin-all=true --disable-ipv6=false --rpc-secret=123 --enable-dht=true --enable-dht6=true --dht-file-path=C:/Users/Admin/AppData/Local/Temp/dht.dat --dht-file-path6=C:/Users/Admin/AppData/Local/Temp/dht6.dat --bt-external-ip=
    3⤵
    - Executes dropped EXE
    PID:348

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x488
1⤵
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mydm.conf

Filesize
55KB

MD5
1118145726818a77402ac254749c7fb0

SHA1
42688f936ab47016785f0a5eac50e3fe9befd824

SHA256
af5d4d2e0d5e5677bf48eac3d819c32ad0dd6873c980a7f343534afa577f5075

SHA512
6bd26a91730f484901a4ff4b2b703e808997df943b7bb5bddeb07ce812eae3a11a3bf8efa5abd29926d3b40724538a7b1f6e4b14742701dd9f99015e65fab313

Download Submit
C:\Users\Admin\AppData\Local\Temp\cloud.ini

Filesize
241B

MD5
1f8228eca325e9246d1737dd7105cbf2

SHA1
dd1911b8395b16264a2d1ed2d0601ff4f9b1cc79

SHA256
7b7b00dcfbd7faed498f3156a939a834d6aaafcc2014c1e6c6d3984940aa1b96

SHA512
7c43d617abb5b44d1fb84199014a0348a20bce3f6649d8b19ce518493b9f5b13e2a3ad0a2511d2a25e5c0410a20823859e6d374e8bed0ecb3cce3d0bf46e9fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cloud.ini

Filesize
211B

MD5
303709e43bc013e2a0eb25babc59de95

SHA1
a073fb6a3e9feb7a92188314edd0ce21871dba4e

SHA256
02a112a94b4640d0d12049febedf6a8c9b16604344c73d55ff70940817e28f91

SHA512
e396c27ca15f9fc89a30a0efad7741cb7105fdfcfb49add5dcfb7d82a80770b63aa8c0d560abe6ece146e5e39a748adb1243f54d18501e6c792d05175ed1e4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\maria2c.exe

Filesize
5.2MB

MD5
074721bdce1c08fae91e5ad1ded4f893

SHA1
4b71d7a9d389e152a8cb0f176233c5ee84b459f5

SHA256
cc6ccae9ef0aea76a85440d6837b3001a23657dcf02ab2230968207e797ed1fc

SHA512
6941c88827d23e4b923dd6dc211dcfb837736f4724ebb8c4012b396b1bf0a3cc4f277d491966abc9646068842eb045d117c34e179758e043be8253a574fe33d3

Download Submit
\Users\Admin\AppData\Local\Temp\download.exe

Filesize
18.6MB

MD5
e37c97e94ba6c99538d6c6fc63121749

SHA1
ba8b7b30e0881c61b17bbcd04717ba479de28e41

SHA256
9b7919159eec7ca5f0d753c56ce64aaad574fcc7694be0ee1e6aadb1ea650126

SHA512
c43987fe9fe71d46dfc4a69b26a88b16643a9ebfc0c0c77f0aa24e635f2fcc16ddfc7ae26a9cc253e327bcf986e84524230510b702f26817e45a72117d4e5e60

Download Submit
memory/348-25-0x0000000000D90000-0x00000000012C2000-memory.dmp

Filesize
5.2MB

Download
memory/2424-8-0x0000000003290000-0x00000000032F3000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing