915ca133c99fb5f2c0086faaefcf759e0a5fd2ed21073a132e4c3521ab9ca947

General

Target

2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe
Size

13.6MB
MD5

a717113f71eae6745b6337c3c5446830
SHA1

82ff18ff0b3696fb2613b0c882fe42983ab44392
SHA256

915ca133c99fb5f2c0086faaefcf759e0a5fd2ed21073a132e4c3521ab9ca947
SHA512

0ad7c6eb5acae6b2468fa2ee569d525389aa0278bec0dba77ee3a40abc2e2828242f68b4a15099f09323ece7dbb4fd35e58da3d32bf7573af82bc17736554b58
SSDEEP

196608:wLF8XVfWn24fRsChmwsAoWEZ9vjKGic9BDal:YFApWPZsY5nu9LKjc9s

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe

pid process

628 2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe
628 2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe

pid	process
628	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe
628	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe

Unexpected DNS network traffic destination 20 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.6.6.6
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.6.6.6
Destination IP	223.5.5.5
Destination IP	223.6.6.6
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.6.6.6
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe

pid process

628 2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe
628 2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe

pid	process
628	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe
628	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 628 wrote to memory of 1108	628	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe	cmd.exe
PID 628 wrote to memory of 1108	628	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe	cmd.exe
PID 628 wrote to memory of 1108	628	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe	cmd.exe
PID 1108 wrote to memory of 3284	1108	cmd.exe	cmd.exe
PID 1108 wrote to memory of 3284	1108	cmd.exe	cmd.exe
PID 1108 wrote to memory of 3284	1108	cmd.exe	cmd.exe
PID 3284 wrote to memory of 4956	3284	cmd.exe	netsh.exe
PID 3284 wrote to memory of 4956	3284	cmd.exe	netsh.exe
PID 3284 wrote to memory of 4956	3284	cmd.exe	netsh.exe
PID 628 wrote to memory of 2440	628	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe	cmd.exe
PID 628 wrote to memory of 2440	628	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe	cmd.exe
PID 628 wrote to memory of 2440	628	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe	cmd.exe
PID 2440 wrote to memory of 3116	2440	cmd.exe	cmd.exe
PID 2440 wrote to memory of 3116	2440	cmd.exe	cmd.exe
PID 2440 wrote to memory of 3116	2440	cmd.exe	cmd.exe
PID 3116 wrote to memory of 4820	3116	cmd.exe	netsh.exe
PID 3116 wrote to memory of 4820	3116	cmd.exe	netsh.exe
PID 3116 wrote to memory of 4820	3116	cmd.exe	netsh.exe
PID 628 wrote to memory of 2108	628	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe	cmd.exe
PID 628 wrote to memory of 2108	628	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe	cmd.exe
PID 628 wrote to memory of 2108	628	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe	cmd.exe
PID 2108 wrote to memory of 4396	2108	cmd.exe	cmd.exe
PID 2108 wrote to memory of 4396	2108	cmd.exe	cmd.exe
PID 2108 wrote to memory of 4396	2108	cmd.exe	cmd.exe
PID 4396 wrote to memory of 3852	4396	cmd.exe	netsh.exe
PID 4396 wrote to memory of 3852	4396	cmd.exe	netsh.exe
PID 4396 wrote to memory of 3852	4396	cmd.exe	netsh.exe
PID 628 wrote to memory of 1088	628	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe	cmd.exe
PID 628 wrote to memory of 1088	628	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe	cmd.exe
PID 628 wrote to memory of 1088	628	2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe	cmd.exe
PID 1088 wrote to memory of 4176	1088	cmd.exe	cmd.exe
PID 1088 wrote to memory of 4176	1088	cmd.exe	cmd.exe
PID 1088 wrote to memory of 4176	1088	cmd.exe	cmd.exe
PID 4176 wrote to memory of 1944	4176	cmd.exe	netsh.exe
PID 4176 wrote to memory of 1944	4176	cmd.exe	netsh.exe
PID 4176 wrote to memory of 1944	4176	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_a717113f71eae6745b6337c3c5446830_icedid.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\SysWOW64\cmd.exe
  /c cmd /c netsh interface ip set dns Ethernet static 223.5.5.5
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netsh interface ip set dns Ethernet static 223.5.5.5
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3284
  - - C:\Windows\SysWOW64\netsh.exe
      netsh interface ip set dns Ethernet static 223.5.5.5
      4⤵
      PID:4956
- C:\Windows\SysWOW64\cmd.exe
  /c cmd /c netsh interface ip add dns name="Ethernet" addr=223.6.6.6 index=2
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netsh interface ip add dns name="Ethernet" addr=223.6.6.6 index=2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Windows\SysWOW64\netsh.exe
      netsh interface ip add dns name="Ethernet" addr=223.6.6.6 index=2
      4⤵
      PID:4820
- C:\Windows\SysWOW64\cmd.exe
  /c cmd /c netsh interface ip set dns Ethernet static 223.5.5.5
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netsh interface ip set dns Ethernet static 223.5.5.5
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Windows\SysWOW64\netsh.exe
      netsh interface ip set dns Ethernet static 223.5.5.5
      4⤵
      PID:3852
- C:\Windows\SysWOW64\cmd.exe
  /c cmd /c netsh interface ip add dns name="Ethernet" addr=223.6.6.6 index=2
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netsh interface ip add dns name="Ethernet" addr=223.6.6.6 index=2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\SysWOW64\netsh.exe
      netsh interface ip add dns name="Ethernet" addr=223.6.6.6 index=2
      4⤵
      PID:1944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:2320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E2EECore.2.7.2.dll

Filesize
8.4MB

MD5
8b6c94bbdbfb213e94a5dcb4fac28ce3

SHA1
b56102ca4f03556f387f8b30e2b404efabe0cb65

SHA256
982a177924762f270b36fe34c7d6847392b48ae53151dc2011078dceef487a53

SHA512
9d6d63b5d8cf7a978d7e91126d7a343c2f7acd00022da9d692f63e50835fdd84a59a93328564f10622f2b1f6adfd7febdd98b8ddb294d0754ed45cc9c165d25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl.dll

Filesize
2.5MB

MD5
298f5812023bab65ee23d13ee9489a6e

SHA1
71e9d7f205e5e7af6907c539c77a3aeea971692f

SHA256
fe100d35b034c15ae3b74379f4eedd321c8e4b84fe666b54ee924ca2a8bdca6e

SHA512
217258fb7728f61199f913fb98c894077c12a124e1596d1c6c7cfc065d4d2a6e1e03ad950c3321e2a8dcd997fb5c9524f98530db4bcb39f9914ecb5ff0e22dbd

Download Submit

Analysis

Sharing