Malware Analysis Report

2025-01-03 09:33

Sample ID 240604-pel7zagb93
Target 2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid
SHA256 55e31b5024be7792d36b03671f731144356aa7dc83746fb1062c0e9eb341a33d
Tags
bootkit persistence upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

55e31b5024be7792d36b03671f731144356aa7dc83746fb1062c0e9eb341a33d

Threat Level: Known bad

The file 2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid was found to be: Known bad.

Malicious Activity Summary

bootkit persistence upx

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

UPX packed file

Writes to the Master Boot Record (MBR)

Drops file in Program Files directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 12:14

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 12:14

Reported

2024-06-04 12:17

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\JiaRong\JiaRsoft.jrs C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
File created C:\Program Files\JiaRong\JiaRjishu.jrs C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3BB506AB-425B-43B0-BC82-28A61FCCF686}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F623A5E8-4AE4-494E-975B-3C5404428625} C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4018F953-1BFE-441e-8A04-DC8BA1FF060E}\ = "gregn6" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{07120975-B963-4F75-9B4D-0AC979FEBB5D}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9EF8E78-8E3A-428C-93C5-F52E146CB6FF}\ = "IGRPen" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA44042-1421-46DE-9ACA-A44753FF06C6}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3112650-36D2-4928-9D6C-C0A21CCC1EBA}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2564DCE8-FEDB-4EB6-B7F9-5026F7F1041E}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CB11F828-A97B-4BC3-9B7A-9D2DDEB1C229}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04CEA260-DD00-4954-A81F-F0A201343CB9}\ = "IGRField" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E5561733-9CD9-4D47-AE6B-3CB10A3D6772}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60EB191F-5E63-41E7-807F-C66EC7A8EF26} C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CB11F828-A97B-4BC3-9B7A-9D2DDEB1C229}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53E18537-559D-4EF2-94C3-47A1EF38100F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44CBB5DE-5AFB-4c3d-8F3F-0F70CA5372AD}\ToolboxBitmap32\ = "C:\\Program Files\\JiaRong\\JiaRjishu.jrs, 109" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B2CC2C43-CF42-4E38-BDBB-5C04DF11793F}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4ACA069-B92C-401A-B175-354E00D538D9}\ = "IGRLine" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2564DCE8-FEDB-4EB6-B7F9-5026F7F1041E}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4708B2F-DC00-4EF6-9559-A5DD9E86047C}\ = "IGRFont" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48636E6A-758E-46C0-B37A-C2A2CAC9469A}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07120975-B963-4F75-9B4D-0AC979FEBB5D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBF161F0-F347-441A-9C0D-0ACA7824793B} C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C04A6148-7500-41EF-8062-BD89A0A92D40}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D40307C2-9342-4C0D-9734-A103418186FE}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FE11B07-22DC-4691-85D7-0469364B4B46}\ = "IGRFreeGridColumn" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C4ACA069-B92C-401A-B175-354E00D538D9}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6CA58CB2-2AD1-4ad0-B3CC-5F5C000BBDEE}\AppID = "{4018F953-1BFE-441e-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48636E6A-758E-46C0-B37A-C2A2CAC9469A}\ = "IGRControls" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C04A6148-7500-41EF-8062-BD89A0A92D40} C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08513FC1-CCCE-4603-8DD1-35BA1CA8D1CD}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4AA885F-AF9C-4032-A65A-F3DFD458C289}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07120975-B963-4F85-9B4D-0AC979FEBB5D} C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9EF8E78-8E3A-428C-93C5-F52E146CB6FF}\ = "IGRPen" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{72A79692-2F9E-4FEC-92CC-6B4A7375A3D6} C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08513FC1-CCCE-4603-8DD1-35BA1CA8D1CD}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FC1D3A0-693F-486E-BDF3-02E98F50F9F3}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08513FC1-CCCE-4603-8DD1-35BA1CA8D1CD}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5C2FC87F-12F8-4A09-8A4A-792671C03C74}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A246AC9-1715-40B6-A483-DE9F3E8DA43C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1C0E90D-B75A-4FFD-A542-54C9E44785A6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{39A2C13A-D695-44BD-8339-A94FA64CB62B}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CDAA7F5B-E100-49B7-93F2-6B66FC93BE55}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44CBB5DE-5AFB-4c3d-8F3F-0F70CA5372AD}\TypeLib\ = "{4018F953-1BFE-441e-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4018F953-1BFE-441E-8A04-DC8BA1FF060E}\6.0 C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D1E02B3-E1BD-4C84-95F8-BB19BBB481F0}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B4AF4881-7230-4AE0-8D3A-02F96F339454}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B753063D-AEBA-4E5E-B53A-F89B68F1F622} C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CB11F828-A97B-4BC3-9B7A-9D2DDEB1C229}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E5561733-9CD9-4D47-AE6B-3CB10A3D6772}\ = "IGRCellBase" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5D15E31-FA9A-42BE-BE9C-8688E7D9D6A0} C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{488B2328-67C0-42D1-A133-303FF60D8AE2} C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCDB44D7-4E0B-4EB6-A1E2-092689E8A482}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28845384-ED9F-4D2E-986E-D52AC37A108F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE08C5A0-22B5-4664-9DAA-4BB97C2C0771}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97502458-7024-4194-9598-5B62001D8C1A} C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{330F80F5-4568-4F70-BFCB-683D3B90FEBB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE4B64D4-5B5C-4B74-8470-1CC62F8E9FC9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{273631DD-1CAC-49E9-92EE-584F48921A1E}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C765E825-5F52-44CB-AAB6-FA89376DA4C0}\ = "IGRColumnSection" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24DE1EBE-5D9C-40EC-A11A-21AF7D0C0D36}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{60EB191F-5E63-41E7-807F-C66EC7A8EF26}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5F9D573A-8350-4A94-BB9F-2D0FA787EC7C}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C2FC87F-12F8-4A09-8A4A-792671C03C74}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gregn.GRPrintViewer\CLSID C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe"

Network

N/A

Files

\Program Files\JiaRong\JiaRjishu.jrs

MD5 259c1da17b442ac2f27ea1ff4625e7d3
SHA1 54437d7ce0fc459ed603dc8709254c6971cd34e0
SHA256 6272c686ea0209fe829ddaad0b9af8fbc253d521dbd7e84a1216c217a2f93c9a
SHA512 75281e8dcb997c28a5c864822fe0f984a4bb7ee7c1ca48400250184b7fdaddc4d23bdc601fc7fc42e214b7721931231635380398918631d0adf454a97f8e8796

memory/1624-5-0x0000000010000000-0x0000000010917000-memory.dmp

memory/1624-10-0x0000000010000000-0x0000000010917000-memory.dmp

memory/1624-11-0x0000000010000000-0x0000000010917000-memory.dmp

memory/1624-13-0x0000000010000000-0x0000000010917000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 12:14

Reported

2024-06-04 12:17

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\JiaRong\JiaRsoft.jrs C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
File created C:\Program Files\JiaRong\JiaRjishu.jrs C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72A79692-2F9E-4FEC-92CC-6B4A7375A3D6}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2564DCE8-FEDB-4EB6-B7F9-5026F7F1041E}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C56923D-4012-4D28-8283-1B294C5C2A06}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E66EBBF5-ED8D-44E7-8A6C-E6579ADCC7D4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1C0E90D-B75A-4FFD-A542-54C9E44785A6}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C04A6143-7500-41EF-8062-BD89A0A92D40}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gregn.GridppReport\CurVer\ = "gregn.GridppReport.6" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gregn.GRDisplayViewer.6\CLSID\ = "{1B5EA181-A38D-4f42-88B2-6AF74CF6D6C0}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gregn.GRPrintViewerProps C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83CC68EF-B558-45BB-8023-6C4F3BDADA7B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5EB6E1E6-00B9-4469-AB22-EE4375D70E39}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2F421D7-73FA-462F-9BF5-7DA3E512CA00}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3BB506AB-425B-43B0-BC82-28A61FCCF686}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{330F80F5-4568-4F70-BFCB-683D3B90FEBB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F803AE1D-B578-490A-A1FE-38976AD2B625}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCDB44D7-4E0B-4EB6-A1E2-092689E8A482}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53E18537-559D-4EF2-94C3-47A1EF38100F}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA0A5CBE-7EEC-44FD-ABFD-FC65BFED8618}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D40307C2-9342-4C0D-9734-A103418186FE}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F9D573A-8350-4A94-BB9F-2D0FA787EC7C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24DE1EBE-5D9C-40EC-A11A-21AF7D0C0D36} C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FA44042-1421-46DE-9ACA-A44753FF06C6}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77FD1006-7067-41FF-A712-0F356A6ACE8C}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C56923D-4012-4D28-8283-1B294C5C2A06}\ = "IGRTextFormat" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F00CE27D-D1E3-4EF6-9877-BF3233EBF551}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{04CEA260-DD00-4954-A81F-F0A201343CB9}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gregn.GRPrintViewer C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CB11F828-A97B-4BC3-9B7A-9D2DDEB1C229}\ = "IGRDetailGrid" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6FA2BE8F-B674-49A9-A081-FE3968AE8D8D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E5561733-9CD9-4D47-AE6B-3CB10A3D6772}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE08C5A0-22B5-4664-9DAA-4BB97C2C0771}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60EB191F-5E63-41E7-807F-C66EC7A8EF26}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A9E920A1-C722-4A81-9FCF-4D5EBFFA21F4}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23F65787-D22B-4CA6-BA49-D22B63CA353A}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1C0E90D-B75A-4FFD-A542-54C9E44785A6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F00CE27D-D1E3-4EF6-9877-BF3233EBF551} C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{04CEA260-DD00-4954-A81F-F0A201343CB9}\ = "IGRField" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4708B2F-DC00-4EF6-9559-A5DD9E86047C}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BB12AEBD-5839-4A5E-9944-65B6798381C8} C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2564DCE8-FEDB-4EB6-B7F9-5026F7F1041E}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B5EA181-A38D-4f42-88B2-6AF74CF6D6C0}\ = "Grid++Report DisplayViewer 6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F803AE1D-B578-490A-A1FE-38976AD2B625}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45F9B62D-9E33-484A-BB3C-BD58007BDAA2} C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AACDAA8B-5EBB-4CC7-BCB9-C300FE7184A5}\ = "IGRPageFooter" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C04A6143-7500-41EF-8062-BD89A0A92D40}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28845384-ED9F-4D2E-986E-D52AC37A108F} C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD0A6964-D013-4DB6-96C4-5B1DE0DB8F1C}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FBA070AB-385F-4988-B7A1-CE6B72799B48} C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{01056F48-F4AB-4D9F-BE45-614F3313717D}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60EB191F-5E63-41E7-807F-C66EC7A8EF26} C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF39550B-2A23-418A-ACEC-812C70EA5A62}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF39550B-2A23-418A-ACEC-812C70EA5A62}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23F65787-D22B-4CA6-BA49-D22B63CA353A}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2F421D7-73FA-462F-9BF5-7DA3E512CA00}\ = "IGRColumnCell" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF39550B-2A23-418A-ACEC-812C70EA5A62}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E66EBBF5-ED8D-44E7-8A6C-E6579ADCC7D4}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA44042-1421-46DE-9ACA-A44753FF06C6}\ = "IGridppReport" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60EB191F-5E63-41E7-808F-C66EC7A8EF26}\ = "IGRE2XLSOption" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DABF9AD-2396-4C11-BFD7-A5EE39772954} C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gregn.GRDisplayViewer.6\ = "Grid++Report DisplayViewer 6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gregn.GRPrintViewerProps.6\CLSID\ = "{6CA58CB2-2AD1-4ad0-B3CC-5F5C000BBDEE}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{330F80F5-4568-4F70-BFCB-683D3B90FEBB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77FD1006-7067-41FF-A712-0F356A6ACE8C}\ = "IGRSection" C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A9E920A1-C722-4A81-9FCF-4D5EBFFA21F4}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_fdd64c321de6b7c2753e4c97325a8609_hacktools_icedid.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
NL 23.62.61.57:443 www.bing.com tcp
US 8.8.8.8:53 57.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

C:\Program Files\JiaRong\JiaRjishu.jrs

MD5 259c1da17b442ac2f27ea1ff4625e7d3
SHA1 54437d7ce0fc459ed603dc8709254c6971cd34e0
SHA256 6272c686ea0209fe829ddaad0b9af8fbc253d521dbd7e84a1216c217a2f93c9a
SHA512 75281e8dcb997c28a5c864822fe0f984a4bb7ee7c1ca48400250184b7fdaddc4d23bdc601fc7fc42e214b7721931231635380398918631d0adf454a97f8e8796

memory/3144-6-0x0000000010000000-0x0000000010917000-memory.dmp

memory/3144-12-0x0000000010000000-0x0000000010917000-memory.dmp

memory/3144-13-0x0000000010000000-0x0000000010917000-memory.dmp