Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 09:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe
Resource
win7-20231129-en
General
-
Target
2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe
-
Size
4.0MB
-
MD5
7743bba6cfb7dcf82717f58a5c8ee6d5
-
SHA1
16618c8210a37be3575a34f04803e83c346cba48
-
SHA256
9a905cbf6c7657cfbad7a8f59e9643d9b368c486801a70cc6c06c87184e381c7
-
SHA512
4f99608fa3d12704d0018b043f7c91c903500c58302cfd83dbdcd28c1dee4050ac4ed28f24f02e2d70054f52f3c39fbd77aaad721eebd59152dafe6e4f68c2a3
-
SSDEEP
98304:9ZJt4HINy2Lk+ip46cXdVpVpmby+r2Ohkgkh:viINy2Lk1hQA28VS
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2880-8-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2880-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1660-18-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2880-22-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/3052-33-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1660-35-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/3052-36-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/3052-40-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/3052-68-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 10 IoCs
Processes:
resource yara_rule behavioral1/memory/2880-8-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2880-9-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2880-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1660-18-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2880-22-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/3052-33-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1660-35-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/3052-36-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/3052-40-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/3052-68-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
UPX dump on OEP (original entry point) 11 IoCs
Processes:
resource yara_rule behavioral1/memory/2880-8-0x0000000010000000-0x00000000101B6000-memory.dmp UPX behavioral1/memory/2880-9-0x0000000010000000-0x00000000101B6000-memory.dmp UPX behavioral1/memory/2880-7-0x0000000010000000-0x00000000101B6000-memory.dmp UPX behavioral1/memory/2880-5-0x0000000010000000-0x00000000101B6000-memory.dmp UPX behavioral1/memory/1660-18-0x0000000010000000-0x00000000101B6000-memory.dmp UPX behavioral1/memory/2880-22-0x0000000010000000-0x00000000101B6000-memory.dmp UPX behavioral1/memory/3052-33-0x0000000010000000-0x00000000101B6000-memory.dmp UPX behavioral1/memory/1660-35-0x0000000010000000-0x00000000101B6000-memory.dmp UPX behavioral1/memory/3052-36-0x0000000010000000-0x00000000101B6000-memory.dmp UPX behavioral1/memory/3052-40-0x0000000010000000-0x00000000101B6000-memory.dmp UPX behavioral1/memory/3052-68-0x0000000010000000-0x00000000101B6000-memory.dmp UPX -
Drops file in Drivers directory 1 IoCs
Processes:
TXPlatforn.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
TXPlatforn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 4 IoCs
Processes:
RVN.exeTXPlatforn.exeTXPlatforn.exeHD_2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exepid process 2880 RVN.exe 1660 TXPlatforn.exe 3052 TXPlatforn.exe 2532 HD_2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe -
Loads dropped DLL 4 IoCs
Processes:
2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exeTXPlatforn.exeHD_2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exepid process 2320 2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe 1660 TXPlatforn.exe 2320 2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe 2532 HD_2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe -
Processes:
resource yara_rule behavioral1/memory/2880-8-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2880-9-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2880-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2880-5-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1660-18-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2880-22-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/3052-33-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1660-35-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/3052-36-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/3052-40-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/3052-68-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
RVN.exedescription ioc process File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe -
Drops file in Program Files directory 4 IoCs
Processes:
2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exedescription ioc process File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe 2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
IEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 401de74b3fb3da01 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000084a48ec2bfe0414aaf19374bc3d07c190000000002000000000010660000000100002000000003a3e54df9d324ade5b9b027f8f680a5d321d55736dd5f217f72371a1043e21c000000000e800000000200002000000003e0bcc988d3873da6bedf3287298945e70a82895bc502f369e2285aa3d81550200000007d2a5dd44864110203ad4b39e6f4e50b9e3ec3b339ef7b11e9e406a095c221a840000000efd6b055060fd6720ee5a9c9cf2a2c31fa89030d1af4e385fddc2adda34c007e676ecf68ca8fdcb48062ff2b6f550ebcce678dc56eea4271aea82c3351e4965c IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000084a48ec2bfe0414aaf19374bc3d07c1900000000020000000000106600000001000020000000c478fdbd2027fd8cd829cbede9f28e113af1fadc7c40d2d6dabe1a963b068343000000000e80000000020000200000000228ac300961e118c26c071e7b3300a1b850d4233c5afe220e971da01a4bf0c79000000093774e4035e97a487fddb1ca5405faf1c20c6099b2a42b410f71ca1aae154b8e9f1db7d7cdd6c8f770d45868e65780e11355f07d9c36fbbec9e870fd4a6337d59b2ecef60b48a6fecfb45997b5de0722e70012088f752461317c87dc494d6f35fd51647b150cf59b8e8856a98638c0b5abc35aacc2956b654ad536c4df37337d9455f306cf809046c120ac247184a08140000000bdb3afadc139aa38b308692bbb1df1f2a01699a66ba6243f4949039ebf3c699b04a29a3e30ae93c815e98a927809a63e530e0da03e34b9ba97daadfb6c1b65b7 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423310469" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{37AFCA21-1F32-11EF-B459-56A82BE80DF6} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exepid process 2320 2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
TXPlatforn.exepid process 3052 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
RVN.exeTXPlatforn.exedescription pid process Token: SeIncBasePriorityPrivilege 2880 RVN.exe Token: SeLoadDriverPrivilege 3052 TXPlatforn.exe Token: 33 3052 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 3052 TXPlatforn.exe Token: 33 3052 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 3052 TXPlatforn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
IEXPLORE.EXEpid process 2720 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exeIEXPLORE.EXEIEXPLORE.EXEpid process 2320 2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe 2320 2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe 2720 IEXPLORE.EXE 2720 IEXPLORE.EXE 1920 IEXPLORE.EXE 1920 IEXPLORE.EXE 1920 IEXPLORE.EXE 1920 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exeRVN.exeTXPlatforn.execmd.exeHD_2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exeiexplore.exeIEXPLORE.EXEdescription pid process target process PID 2320 wrote to memory of 2880 2320 2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe RVN.exe PID 2320 wrote to memory of 2880 2320 2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe RVN.exe PID 2320 wrote to memory of 2880 2320 2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe RVN.exe PID 2320 wrote to memory of 2880 2320 2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe RVN.exe PID 2320 wrote to memory of 2880 2320 2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe RVN.exe PID 2320 wrote to memory of 2880 2320 2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe RVN.exe PID 2320 wrote to memory of 2880 2320 2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe RVN.exe PID 2880 wrote to memory of 2832 2880 RVN.exe cmd.exe PID 2880 wrote to memory of 2832 2880 RVN.exe cmd.exe PID 2880 wrote to memory of 2832 2880 RVN.exe cmd.exe PID 2880 wrote to memory of 2832 2880 RVN.exe cmd.exe PID 1660 wrote to memory of 3052 1660 TXPlatforn.exe TXPlatforn.exe PID 1660 wrote to memory of 3052 1660 TXPlatforn.exe TXPlatforn.exe PID 1660 wrote to memory of 3052 1660 TXPlatforn.exe TXPlatforn.exe PID 1660 wrote to memory of 3052 1660 TXPlatforn.exe TXPlatforn.exe PID 1660 wrote to memory of 3052 1660 TXPlatforn.exe TXPlatforn.exe PID 1660 wrote to memory of 3052 1660 TXPlatforn.exe TXPlatforn.exe PID 1660 wrote to memory of 3052 1660 TXPlatforn.exe TXPlatforn.exe PID 2320 wrote to memory of 2532 2320 2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe HD_2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe PID 2320 wrote to memory of 2532 2320 2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe HD_2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe PID 2320 wrote to memory of 2532 2320 2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe HD_2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe PID 2320 wrote to memory of 2532 2320 2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe HD_2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe PID 2832 wrote to memory of 2620 2832 cmd.exe PING.EXE PID 2832 wrote to memory of 2620 2832 cmd.exe PING.EXE PID 2832 wrote to memory of 2620 2832 cmd.exe PING.EXE PID 2832 wrote to memory of 2620 2832 cmd.exe PING.EXE PID 2532 wrote to memory of 1968 2532 HD_2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe iexplore.exe PID 2532 wrote to memory of 1968 2532 HD_2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe iexplore.exe PID 2532 wrote to memory of 1968 2532 HD_2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe iexplore.exe PID 2532 wrote to memory of 1968 2532 HD_2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe iexplore.exe PID 1968 wrote to memory of 2720 1968 iexplore.exe IEXPLORE.EXE PID 1968 wrote to memory of 2720 1968 iexplore.exe IEXPLORE.EXE PID 1968 wrote to memory of 2720 1968 iexplore.exe IEXPLORE.EXE PID 1968 wrote to memory of 2720 1968 iexplore.exe IEXPLORE.EXE PID 2720 wrote to memory of 1920 2720 IEXPLORE.EXE IEXPLORE.EXE PID 2720 wrote to memory of 1920 2720 IEXPLORE.EXE IEXPLORE.EXE PID 2720 wrote to memory of 1920 2720 IEXPLORE.EXE IEXPLORE.EXE PID 2720 wrote to memory of 1920 2720 IEXPLORE.EXE IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\HD_2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exeC:\Users\Admin\AppData\Local\Temp\HD_2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://se.360.cn/3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://se.360.cn/4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2720 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCCFilesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCCFilesize
252B
MD5e659eb79b5c53a59fcc34935176b1395
SHA14d98b47ef154a6cc98a7cd58b0426fe6087fabf4
SHA25697395a10f961d77356aa1c3be61c9b93b3d6c9664a7cf58fbdf7596c962ff32f
SHA5122f6e3645668166acaac426d4bb38bf4783e22bc8be9bb49c8fb3ec8843564425a36ffe40941dcea30a7f0e44f18f2f17edbae3bfe5d59225066a0104a3765366
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD58f65f22d02f049ebcebdd8e5ec6e4220
SHA13c43ea011c372c9c80a28a45645d1550d57650e5
SHA256c0a74befc44ab89f629ad342d30feba91ece11e6cbd05da1293b2060beb2bb1d
SHA51242159942a71c2ea377bf2dfacec590a000c19da31c79e0d6344a518d3c1640d830c1bc581a548a8332ac0ff9ff14dabd7b89581fbf9c0b46ae97c05658dc200a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5a3a12937ed12582d542862e600f10c7c
SHA178e015f60d9c611af3e42cc33d3efc1d305b10ca
SHA2561cc09469a398ed482f6f70db212fbc30061c23a1d8da8cc17411ffc6dfae2c99
SHA512b7ebf1b8b176e888eb06619c0650c94cb605f033afd29c894a0274385b6510637ce514c61fffc06ad89567203439934882b404085f43f3935989ac39ea42967d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5b4763cdffdf44d591aec9ec2f8d003ee
SHA14c41af2183f5387a1e1c12a12d84ac4ce534df33
SHA256f31d9a2f0db591805849d9cde5d8a7b6292986906daa6faed8ea5ec8e6412a52
SHA512582f0becf5d7b87545d59e30edc0ee8490451b086af15778c4e6348d94f3036744281ca437be64bdf800cc8c3871b5ea164eca25d1dfa09a7ea191569676ccaa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5130a18bedf6157aee5d6f74545f898de
SHA185da6a64e8f571fe871831ed724596668cdb4488
SHA256ecef9042032476160904a4c361b1ee53cb0856863ea4a74ceebbfe7f0228c86a
SHA512bb8a186031d6fe1259955786d79840e94cb74dd1c145fd649eaa9a6ab35ed4c4ed5f734d21d008e7c20300d72c1091a58a4cb512b02c39188002b82e18dee81e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD556bf10253a298eb0eda454a667953e14
SHA16af34fbeaf0fa623b4a11f8e450c2fab680fde48
SHA256e58622a3fcc8d5f6b02d6226242a79f63cd6d1601cb0922c020c60009f8a854c
SHA512a651e594de0cfcfd047e47792376c1f28810dfd025304faf0fd99c14989de65c3c687d4979d6f77553cd4ff52d728f97f9a673388705aae6b71ebb99961f6224
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD54fcd835df62b35b7198feccd6e2b8ef7
SHA1480c2236cfc98398078a1a920c068b6fae16ad63
SHA256e2431f7d1cf7e5797b50f86a49b47d418f0a312b6914d3f3ec2c5aeed41cc524
SHA512b9caa43951bb652c4bc802a9354d7d1aa03728f769c943aa83f78d6056ab5316d3f6540de491584723dfcdf04e1df798a56b07a6ae0ef1a615059eedf44dd617
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5862520ba2cc36f0a821e61740a739729
SHA1de9389acc3ab58320f2b74daebf88c724a98207e
SHA25656b54ce91156e5eb9795ecf564b222c1d7ac38add8c601ecfadff96a58f2f116
SHA512fc4ad67e91be112b496eb420b0324797f568e1865b2a4a33bdb4cbe89c585daeb574d4674fc2ea8e3f1bde973e2e3e028ec1745ea59d68025738640536aebbec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5c572db424d65827717e37d0db1822b6b
SHA1bbd56f8a83a00608e667b4ed26617dd084ff8efc
SHA2566993ba83a6c3d20e2e066c6390cf6c5ced8d9138dc0a262361508ae313ccc7c8
SHA51275ea7a1bdd233b1f0f07fd239b0c53999e7fca5da275c20ddac8ba61028ad03c2e1a19b4f5ad7e9dbf23cef0ce48a79ba253376fb678c5883d20aa8974201a43
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD569bf93130214209347f74396b311a75a
SHA19818a25499dbc8987d3493a6e410c351bc4106f1
SHA25611adc31ac031748f32d2766167b138969c1df1292a15b65bfd21b41d12ae472a
SHA512e766ceeacf50fabe118cc4c4a6ffb29d7bbc0dab072d07ed2ef4c6af682ff88fa8b5eeda7560ef567fc4e447c6caa246286405d126248a6a595560f601918106
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD548fd40cd4bebaadc1264edf2e9896a41
SHA1377f875aeb66782f88d9f77161b3c01a033bec60
SHA256400bd17bf78b258130c31219ab265d53e2ab7be52e4a081e9a789a12a74c462f
SHA5128d8013c09731b0c6917648888e06d6c8afab34dc568310cc82ce51c4f5ad5c050d9b6686d24ebdc4046cd581b977eba1e14270a4d2114f394c75ab5902f7109b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD51aa79ed916054710000166f2a34fa2f5
SHA1c3bf416a1b6b65e69c379a7585c31230c15113f0
SHA2569970b9cbafd794e88acb66ebd65bcf4d66d319a889ef492514a79b281c34fdfa
SHA5129722c724e8b25751aa4f24d19f80f4504206d9aaa985a4becc5236fc4a39c4921100860c1b29ceadc1c3b160a65f51b012e7352c4ba1b1f8c0a1e72ae86a54b5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5c8617e8e22d15968ccf86c6fecf18fc2
SHA1f8b3aa45774bd1be0f022ee441d4daeffe0bc5ae
SHA25625f9ef333aae27960eafcef98578f2ab7c856fb7070268efd35fdc113b696d6e
SHA5125d723815a1b08205471e0c801b799e6d872d2312881c2e7d245877b96c717ffdae74796e62292dd18a1ffc3ae0361f7cbfaf1811e67a6cee7fd4cd4b68c1a470
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5c3ca09b0c4ada6dae4ef25a56d2ee3d9
SHA19bb97148c6c4fb5befb44c78e6a2037f0583f27e
SHA25601b2a4617f5665842a17148d500f8bf5561e19bbcb85e6f62ddffce15245fbad
SHA512f5cd35e2c28b5394d5bc8084ff7be9278c7b6625e2afbed1fab83bfbc330ecb85988d0aab591b0024511c46dc4baa8ecdb74594e206d1b8df1d56fff2074fde7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD507f958fa3c0af3425de94f61ee55398b
SHA11fd2c0e2b4c41e0f224af80ffeeed47b1e9fb8a4
SHA2562554ee0047c880ec525bcc815af4e037a2a56d9d30b84d10da38533516d56666
SHA512a8c538ada42c51ca42cc10f6c4681089ada00a31c9f0653e4ddb9d7754d23cbe6078e668b06bc12ee8c2ce771cb7bee64105a74e354ee25781e0e3a9df7880fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5f810f64ee16cce8df28fd957376c6e2b
SHA122e25c97f17f3905e34d12a50cc2fe2dca3cb767
SHA25691c82e86c74c09a5da7f549a92b769bc29e9828c2c1ece9302141fd185504939
SHA51241dddbc8a5fc9ec8a484798fb75b5641d8ae496bda16330098dd19a3fe0b97e338227d816ff693a6885a6917cfe054a8a8f363fce7bfaad4a8903637d5ceb300
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD50dc304dad29dc4d797b1bc1a2c1a33f1
SHA1c3afc105d75c271bcf4413ca7a8c0b5ae6dfd2ce
SHA2561527eab22a29f15408d4845da3ec22c9e2e12b695850007f5c76e6fedfba7e36
SHA512f805513aed01aa79b05024990fbc6a60604b00ed440019ab304347ce96411107bc2e73f5ba5a535de27f6fd38419676b5ce4b2e8aac9b7a900d2a659dab93e0e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD59f23a790bc18a1216f4a529af2abf3da
SHA107cd86afb7041a693bdba73720dab0537b38fbe9
SHA256e7b04f51b55fdb9c73869cf897f82f3ef1a0630e502a66019656b2001872e827
SHA512cc05cd8c7f725e5d2204873b997ccb42989c7b046d4cd372eb7554b9bedb1e4c4460ffe8444d236b45ae0a625c9097349ed1b6a60abf0c78d135e1dbfa739640
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD550de63bb9385890615462260165d5b7c
SHA1ccfcd736f12cf524bdd074a4ad9934ac68efd078
SHA256109c70df73ef9d5f2c95da9f084aa8a30d3ea3de8a08d3454b940b38677405f7
SHA51288733a343a9ee33bc219995236ff82766da25c7f2503ea8c3469d2e6bec1bf15a5b5c57ad1bc91b627ca94add4da6b9a1e162336d64a30fb370b8ef857876233
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD56d0dca1c4373d830c1986180bf910604
SHA1a798fe1f98bc1938b4601bcfaa5324b02a9f4fbd
SHA256086e61f5d40af3166671c545a95e29ecb445454822c85aca44fbad8ea1b44578
SHA512f3df903e0cba08725b5734ed8f50b25be7db8faa54cfd2b5e6e1b05e7a06329adb02e565eaac28f085aabf3435ef7b19166340bf80db41e7e3ecb7ffd8bfd696
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD569e7b8b512c1fc9c498e62a072ee50f3
SHA10b05eefe2af7f85668db11745a4c9edcc1fb6f19
SHA2569ea80c54c0f9cf498493d9e2818d403b4b5cddf199b474bb08956c64314ba4dd
SHA512b147e86ed8e40499823b817c135f8333c2d397d0f859071617395c387f3d7cebfdbd9cfbc3077e4f8225d62525b8a27ed57e32ab9df82208f98f8fc698097add
-
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.icoFilesize
4KB
MD5da597791be3b6e732f0bc8b20e38ee62
SHA11125c45d285c360542027d7554a5c442288974de
SHA2565b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
1.2MB
MD555de90887452d29933661ea4386b7801
SHA1374e75e5f3ffbae4fcb50a433aa93dc7e0268f06
SHA2562458a07a425b2129985ad1f44d3c8f89a20ee237b47ae6b569a49dec48241bff
SHA512227dcfe33eefb85166c421a4593e4aa13a3d5a633de82dbe8238a447fb75c9ff05b5de4500d76c6a264dff0798e0b619da6475322f4a4adb67519baaf20c4ed3
-
C:\Users\Admin\AppData\Local\Temp\Tar326B.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
\Users\Admin\AppData\Local\Temp\HD_2024-05-31_7743bba6cfb7dcf82717f58a5c8ee6d5_icedid.exeFilesize
2.8MB
MD5acafd63654acc5f3799fbeb8f73d6b16
SHA11d4402e6a26a06779a35a2362d186ebca951b1b1
SHA2561ab0fdf2d3c814acfd991054a001c4a19dc2fb1605e706a27f531cb32c79a6cb
SHA512e127508b1f300d6499a9200a87c6a9e6bb2a6a174d05b84485d446663186562e6ff4eb3c827acf59bcd2d095d9889b6e4ddd8b5e41dd7a20d78d04ee06b79ed2
-
\Users\Admin\AppData\Local\Temp\RVN.exeFilesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
memory/1660-18-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1660-35-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2880-5-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2880-22-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2880-7-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2880-9-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2880-8-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3052-33-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3052-36-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3052-40-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3052-68-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB