Analysis Overview
SHA256
ba537d9a4ba0f5a69a9cb5932c0e077855176ad22ce88daabe6e6087bc22ea18
Threat Level: Shows suspicious behavior
The file 2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Enumerates connected drives
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 15:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 15:51
Reported
2024-06-04 15:54
Platform
win7-20240508-en
Max time kernel
130s
Max time network
131s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\FEIQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe 1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B}\ProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0525C8BE-6CCA-4AF7-B72A-1D81756978F0}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe\"" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQData\CLSID\ = "{C4AB3843-3548-4e73-B99D-620DF075BB32}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4AB3843-3548-4e73-B99D-620DF075BB32}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CurVer\ = "ImageOle.GifAnimator.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39AF7A0C-F38A-420F-9611-6C848375977B}\AppID = "{B6938C8A-42A7-40AE-A4A9-85EAC54FC8F8}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQTools\CLSID\ = "{1129492B-BE39-4F68-9FB2-954A15642CE6}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4AB3843-3548-4e73-B99D-620DF075BB32} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A5CAC5D2-0527-414b-979F-0FAA325646CC}\ = "ClientObjectsModule Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE8BCAB3-73D7-4316-872E-2C776302ECD4}\VersionIndependentProgID\ = "FeiQ.FQRoot" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\ = "GifAnimator Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\CLSID\ = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0525C8BE-6CCA-4AF7-B72A-1D81756978F0}\VersionIndependentProgID\ = "FeiQ.Application" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B6938C8A-42A7-40AE-A4A9-85EAC54FC8F8} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddyCollection\CurVer\ = "FeiQ.FQBuddyCollection.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddy.1 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddy.1\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88118872-FA84-4324-BD58-8A804ABB339D} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1129492B-BE39-4F68-9FB2-954A15642CE6}\ = "FQTools Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\ = "ImageOle 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97819BF3-8E21-477c-9162-5AED70E4155A}\TypeLib\ = "{83863943-2942-4480-83CF-CE99E5655801}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4AB3843-3548-4e73-B99D-620DF075BB32}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe\"" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQDataCollection\CurVer | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B76352A6-61E3-481a-A219-9B50DAB47F80}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6620960-3908-4FE6-B347-9744EEF0ABE2}\ = "CFQUi Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39AF7A0C-F38A-420F-9611-6C848375977B}\VersionIndependentProgID\ = "FeiQ.FQBuddyCollection" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}\VersionIndependentProgID\ = "FeiQ.FQBuddy" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE8BCAB3-73D7-4316-872E-2C776302ECD4}\ProgID\ = "FeiQ.FQRoot.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ = "IGifAnimator" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39AF7A0C-F38A-420F-9611-6C848375977B}\ProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddy\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}\ = "FQBuddy Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1129492B-BE39-4F68-9FB2-954A15642CE6}\ProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.Application\CurVer | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1129492B-BE39-4F68-9FB2-954A15642CE6}\AppID = "{B6938C8A-42A7-40AE-A4A9-85EAC54FC8F8}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.ClientObjectsModule\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B6938C8A-42A7-40AE-A4A9-85EAC54FC8F8}\ = "FEIQ" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddyCollection.1\ = "FQBuddyCollection Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B76352A6-61E3-481a-A219-9B50DAB47F80}\ProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE8BCAB3-73D7-4316-872E-2C776302ECD4}\AppID = "{B6938C8A-42A7-40AE-A4A9-85EAC54FC8F8}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQMenu.1 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}\Programmable | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}\TypeLib\ = "{83863943-2942-4480-83CF-CE99E5655801}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQFolderBar\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B76352A6-61E3-481a-A219-9B50DAB47F80}\ProgID\ = "FeiQ.FQDataCollection.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1129492B-BE39-4F68-9FB2-954A15642CE6} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE8BCAB3-73D7-4316-872E-2C776302ECD4}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQCalendar\CurVer\ = "FeiQ.FQCalendar.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B76352A6-61E3-481a-A219-9B50DAB47F80}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe\"" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE8BCAB3-73D7-4316-872E-2C776302ECD4}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQMenu | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.ClientObjectsModule.1\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQRoot.1 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6620960-3908-4FE6-B347-9744EEF0ABE2}\AppID = "{B6938C8A-42A7-40AE-A4A9-85EAC54FC8F8}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.255.255:2425 | udp | |
| N/A | 255.255.255.255:2425 | udp | |
| N/A | 10.127.0.152:2425 | udp | |
| US | 8.8.8.8:53 | e.feiq18.com | udp |
| CN | 180.97.238.45:80 | e.feiq18.com | tcp |
| US | 8.8.8.8:53 | www.feiq18.com | udp |
| CN | 180.97.238.45:80 | www.feiq18.com | tcp |
| US | 8.8.8.8:53 | feiqupgrade.blog.sohu.com | udp |
| CN | 27.221.71.83:80 | feiqupgrade.blog.sohu.com | tcp |
Files
memory/2344-0-0x0000000000400000-0x000000000157F000-memory.dmp
memory/2344-1-0x0000000000400000-0x000000000157F000-memory.dmp
C:\Users\Admin\AppData\Roaming\feiq\feiq.ini
| MD5 | ad7812ebc6c6bf360977baac663a42f5 |
| SHA1 | 72844f6c194ffbbc2fb254e76951fe2cd4e479a5 |
| SHA256 | a7b8987fdcc95136c90be17665bb4b21d07f0270a427592eea6f4fc63422d9df |
| SHA512 | d5b4453e2df7121ade86df50e444abc27a9c4a9e72eaddf5f95c4befafe0e7829a0f63509c5cc7db7ba5e86e3efc85eac3b1da9c26499ad62362af6dff17c7e9 |
\Program Files\feiq\GifDll\ImageOle.dll
| MD5 | c653904916e99c2653bf3b339c734f05 |
| SHA1 | 6cb3cde5b5f7ffd76b0de150feb15801f705dd57 |
| SHA256 | a11cd7f420a737e8127012c24dc3fbce1b2e6c6c3425f2028c6171a7e8eb7785 |
| SHA512 | d4aa6713140d2391ee56352dc350e892ffc905843e74f1cdc99b0ce1645ec1d1ba4e990a8ee847928aabd10de0488f035c5df5e005ec7048c4f07d88d9082e6b |
memory/2344-17-0x0000000000400000-0x000000000157F000-memory.dmp
memory/2344-18-0x0000000000400000-0x000000000157F000-memory.dmp
memory/2344-78-0x0000000000400000-0x000000000157F000-memory.dmp
memory/2344-82-0x0000000000400000-0x000000000157F000-memory.dmp
memory/2344-86-0x0000000000400000-0x000000000157F000-memory.dmp
memory/2344-90-0x0000000000400000-0x000000000157F000-memory.dmp
memory/2344-94-0x0000000000400000-0x000000000157F000-memory.dmp
memory/2344-99-0x0000000000400000-0x000000000157F000-memory.dmp
memory/2344-102-0x0000000000400000-0x000000000157F000-memory.dmp
memory/2344-106-0x0000000000400000-0x000000000157F000-memory.dmp
memory/2344-107-0x0000000000400000-0x000000000157F000-memory.dmp
memory/2344-131-0x0000000000400000-0x000000000157F000-memory.dmp
memory/2344-153-0x0000000000400000-0x000000000157F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 15:51
Reported
2024-06-04 15:54
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FEIQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe 1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5CAC5D2-0527-414b-979F-0FAA325646CC}\TypeLib\ = "{83863943-2942-4480-83CF-CE99E5655801}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\FEIQ.EXE | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}\AppID = "{B6938C8A-42A7-40AE-A4A9-85EAC54FC8F8}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88118872-FA84-4324-BD58-8A804ABB339D}\VersionIndependentProgID\ = "FeiQ.FQCalendar" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88118872-FA84-4324-BD58-8A804ABB339D}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQDataCollection.1\ = "FQDataCollection Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.ClientObjectsModule\ = "ClientObjectsModule Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5CAC5D2-0527-414b-979F-0FAA325646CC}\ProgID\ = "FeiQ.ClientObjectsModule.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6620960-3908-4FE6-B347-9744EEF0ABE2}\ProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\Insertable | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQRoot.1\ = "FQRoot Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQRoot\CurVer\ = "FeiQ.FQRoot.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39AF7A0C-F38A-420F-9611-6C848375977B}\ProgID\ = "FeiQ.FQBuddyCollection.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}\ProgID\ = "FeiQ.FQBuddy.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6620960-3908-4FE6-B347-9744EEF0ABE2}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\TypeLib\ = "{710993A2-4F87-41D7-B6FE-F5A20368465F}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1129492B-BE39-4F68-9FB2-954A15642CE6}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe\"" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQUi\CurVer | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CurVer\ = "ImageOle.GifAnimator.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddyCollection.1\CLSID\ = "{39AF7A0C-F38A-420F-9611-6C848375977B}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQTools\ = "FQTools Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B}\ProgID\ = "FeiQ.FQFolderBar.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88118872-FA84-4324-BD58-8A804ABB339D}\ProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQTools.1\CLSID\ = "{1129492B-BE39-4F68-9FB2-954A15642CE6}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQTools | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQDataCollection\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.ClientObjectsModule.1 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Insertable | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQFolderBar.1\CLSID\ = "{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQFolderBar\CurVer | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQCalendar\CLSID\ = "{88118872-FA84-4324-BD58-8A804ABB339D}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1129492B-BE39-4F68-9FB2-954A15642CE6}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0525C8BE-6CCA-4AF7-B72A-1D81756978F0} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQRoot\CurVer | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6620960-3908-4FE6-B347-9744EEF0ABE2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39AF7A0C-F38A-420F-9611-6C848375977B}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CurVer | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddyCollection.1\ = "FQBuddyCollection Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0525C8BE-6CCA-4AF7-B72A-1D81756978F0}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQData\ = "FQData Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQData\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQUi | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39AF7A0C-F38A-420F-9611-6C848375977B}\ProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1129492B-BE39-4F68-9FB2-954A15642CE6}\ = "FQTools Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.ClientObjectsModule\CurVer | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6620960-3908-4FE6-B347-9744EEF0ABE2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ = "IGifAnimator" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQTools\CLSID\ = "{1129492B-BE39-4F68-9FB2-954A15642CE6}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0525C8BE-6CCA-4AF7-B72A-1D81756978F0}\ProgID\ = "FeiQ.Application.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQData.1\CLSID\ = "{C4AB3843-3548-4e73-B99D-620DF075BB32}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B76352A6-61E3-481a-A219-9B50DAB47F80}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6620960-3908-4FE6-B347-9744EEF0ABE2}\ProgID\ = "FeiQ.FQUi.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Control | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQData.1 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQMenu\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97819BF3-8E21-477c-9162-5AED70E4155A}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39AF7A0C-F38A-420F-9611-6C848375977B}\VersionIndependentProgID\ = "FeiQ.FQBuddyCollection" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddy.1\ = "FQBuddy Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddy.1\CLSID\ = "{78669512-A747-4933-8DEC-6C1196599BFB}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1129492B-BE39-4F68-9FB2-954A15642CE6}\Programmable | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.Application\CurVer | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_22b1b1b018a54a257e90e4c110252150_huhk_icedid_vidar.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| N/A | 10.127.255.255:2425 | udp | |
| N/A | 255.255.255.255:2425 | udp | |
| N/A | 10.127.0.245:2425 | udp | |
| US | 8.8.8.8:53 | e.feiq18.com | udp |
| CN | 180.97.238.45:80 | e.feiq18.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.feiq18.com | udp |
| CN | 180.97.238.45:80 | www.feiq18.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | feiqupgrade.blog.sohu.com | udp |
| CN | 112.84.131.219:80 | feiqupgrade.blog.sohu.com | tcp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
memory/1272-0-0x0000000000400000-0x000000000157F000-memory.dmp
memory/1272-1-0x0000000000400000-0x000000000157F000-memory.dmp
C:\Users\Admin\AppData\Roaming\feiq\feiq.ini
| MD5 | ad7812ebc6c6bf360977baac663a42f5 |
| SHA1 | 72844f6c194ffbbc2fb254e76951fe2cd4e479a5 |
| SHA256 | a7b8987fdcc95136c90be17665bb4b21d07f0270a427592eea6f4fc63422d9df |
| SHA512 | d5b4453e2df7121ade86df50e444abc27a9c4a9e72eaddf5f95c4befafe0e7829a0f63509c5cc7db7ba5e86e3efc85eac3b1da9c26499ad62362af6dff17c7e9 |
memory/1272-9-0x0000000000B7F000-0x0000000000B80000-memory.dmp
C:\Program Files\feiq\GifDll\ImageOle.dll
| MD5 | c653904916e99c2653bf3b339c734f05 |
| SHA1 | 6cb3cde5b5f7ffd76b0de150feb15801f705dd57 |
| SHA256 | a11cd7f420a737e8127012c24dc3fbce1b2e6c6c3425f2028c6171a7e8eb7785 |
| SHA512 | d4aa6713140d2391ee56352dc350e892ffc905843e74f1cdc99b0ce1645ec1d1ba4e990a8ee847928aabd10de0488f035c5df5e005ec7048c4f07d88d9082e6b |
memory/1272-18-0x0000000000400000-0x000000000157F000-memory.dmp
memory/1272-19-0x0000000000400000-0x000000000157F000-memory.dmp
memory/1272-75-0x0000000000400000-0x000000000157F000-memory.dmp
memory/1272-103-0x0000000000400000-0x000000000157F000-memory.dmp
memory/1272-138-0x0000000000400000-0x000000000157F000-memory.dmp
memory/1272-146-0x0000000000400000-0x000000000157F000-memory.dmp
memory/1272-148-0x0000000000400000-0x000000000157F000-memory.dmp
memory/1272-149-0x0000000000400000-0x000000000157F000-memory.dmp
memory/1272-150-0x0000000000400000-0x000000000157F000-memory.dmp
memory/1272-153-0x0000000000400000-0x000000000157F000-memory.dmp
memory/1272-154-0x0000000000400000-0x000000000157F000-memory.dmp
memory/1272-155-0x0000000000400000-0x000000000157F000-memory.dmp
memory/1272-156-0x0000000000400000-0x000000000157F000-memory.dmp
memory/1272-157-0x0000000000400000-0x000000000157F000-memory.dmp