786ab705663654c3f4cd173567008518cb24fa3e09d5ed9f0f65b2ff449ccd82

General

Target

2024-05-26_fddc3a7866dff5f4a14031eab2ba4ce3_icedid.exe
Size

19.4MB
MD5

fddc3a7866dff5f4a14031eab2ba4ce3
SHA1

78f7ce27d8ad5a5d903dd8e80a6d0fdd8c9c726b
SHA256

786ab705663654c3f4cd173567008518cb24fa3e09d5ed9f0f65b2ff449ccd82
SHA512

25a47ff39c2680bb5b39651f4812642b0cc3d0ae9155b5dc84dc2939e90c1e09b97336707f46fd15932a7730e0e7688b0209c114a8fd1fe9542b3563562f7c88
SSDEEP

393216:6NoiEpT6ec9rARDnsflCQIGD4O0vtLpY0j9:JiEpGec/41vtLp/B

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	download.exe

Executes dropped EXE 2 IoCs

pid	Process
1128	download.exe
4648	maria2c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1128	download.exe
1128	download.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1128	download.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1128	download.exe
1128	download.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1128	download.exe
1128	download.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3628	2024-05-26_fddc3a7866dff5f4a14031eab2ba4ce3_icedid.exe
3628	2024-05-26_fddc3a7866dff5f4a14031eab2ba4ce3_icedid.exe
1128	download.exe
1128	download.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 1128	3628	2024-05-26_fddc3a7866dff5f4a14031eab2ba4ce3_icedid.exe	82
PID 3628 wrote to memory of 1128	3628	2024-05-26_fddc3a7866dff5f4a14031eab2ba4ce3_icedid.exe	82
PID 3628 wrote to memory of 1128	3628	2024-05-26_fddc3a7866dff5f4a14031eab2ba4ce3_icedid.exe	82
PID 1128 wrote to memory of 4648	1128	download.exe	99
PID 1128 wrote to memory of 4648	1128	download.exe	99

C:\Users\Admin\AppData\Local\Temp\2024-05-26_fddc3a7866dff5f4a14031eab2ba4ce3_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-26_fddc3a7866dff5f4a14031eab2ba4ce3_icedid.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Users\Admin\AppData\Local\Temp\download.exe
  admin 525AA43CA31F11C49B419CF418E8308971837B4E8756A682E28A3A3AE95EF4C71356436679DF792AD5738D8F970DB660F5E86CDB80BDDF3E user
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\maria2c.exe
    "C:\Users\Admin\AppData\Local\Temp\maria2c.exe" --conf-path=C:\Users\Admin\AppData\Local\Temp\Mydm.conf #--save-session=C:\Users\Admin\AppData\Local\Temp\Mydm.session --input-file=C:\Users\Admin\AppData\Local\Temp\Mydm.session --rpc-listen-port=7022 --listen-port=7055 --dht-listen-port=7033 --enable-rpc=true --rpc-allow-origin-all=true --disable-ipv6=false --rpc-secret=123 --enable-dht=true --enable-dht6=true --dht-file-path=C:/Users/Admin/AppData/Local/Temp/dht.dat --dht-file-path6=C:/Users/Admin/AppData/Local/Temp/dht6.dat --bt-external-ip=
    3⤵
    - Executes dropped EXE
    PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mydm.conf

Filesize
55KB

MD5
1118145726818a77402ac254749c7fb0

SHA1
42688f936ab47016785f0a5eac50e3fe9befd824

SHA256
af5d4d2e0d5e5677bf48eac3d819c32ad0dd6873c980a7f343534afa577f5075

SHA512
6bd26a91730f484901a4ff4b2b703e808997df943b7bb5bddeb07ce812eae3a11a3bf8efa5abd29926d3b40724538a7b1f6e4b14742701dd9f99015e65fab313

Download Submit
C:\Users\Admin\AppData\Local\Temp\cloud.ini

Filesize
241B

MD5
e0605b2bab6d8a03624184fdaa830e37

SHA1
40f6590eb618c5b2b2aa0ce215c642f2960cf6cd

SHA256
cb88e91f87fb6ffba19a141bc191839cb705980dcb7bd0fc05a68389a6a51e7c

SHA512
6f7fcab3f12874077d5123cab70fe2fd2019c9e4937345275bd252cf13efd11d37afaf30295f5c3b8f2ba6be9a30595b67e379008270bd78e6e0abdb15879dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cloud.ini

Filesize
211B

MD5
303709e43bc013e2a0eb25babc59de95

SHA1
a073fb6a3e9feb7a92188314edd0ce21871dba4e

SHA256
02a112a94b4640d0d12049febedf6a8c9b16604344c73d55ff70940817e28f91

SHA512
e396c27ca15f9fc89a30a0efad7741cb7105fdfcfb49add5dcfb7d82a80770b63aa8c0d560abe6ece146e5e39a748adb1243f54d18501e6c792d05175ed1e4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\download.exe

Filesize
18.6MB

MD5
e37c97e94ba6c99538d6c6fc63121749

SHA1
ba8b7b30e0881c61b17bbcd04717ba479de28e41

SHA256
9b7919159eec7ca5f0d753c56ce64aaad574fcc7694be0ee1e6aadb1ea650126

SHA512
c43987fe9fe71d46dfc4a69b26a88b16643a9ebfc0c0c77f0aa24e635f2fcc16ddfc7ae26a9cc253e327bcf986e84524230510b702f26817e45a72117d4e5e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\maria2c.exe

Filesize
5.2MB

MD5
074721bdce1c08fae91e5ad1ded4f893

SHA1
4b71d7a9d389e152a8cb0f176233c5ee84b459f5

SHA256
cc6ccae9ef0aea76a85440d6837b3001a23657dcf02ab2230968207e797ed1fc

SHA512
6941c88827d23e4b923dd6dc211dcfb837736f4724ebb8c4012b396b1bf0a3cc4f277d491966abc9646068842eb045d117c34e179758e043be8253a574fe33d3

Download Submit
memory/1128-7-0x00000000044C0000-0x0000000004523000-memory.dmp

Filesize
396KB

Download
memory/4648-23-0x00000000001C0000-0x00000000006F2000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing