Malware Analysis Report

2025-01-03 09:33

Sample ID 240604-thdgfscc7w
Target 2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid
SHA256 f608c9f6ad810938dafc2e98c77b652c773713d58cb2f960962c52f301b0df80
Tags
bootkit persistence upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f608c9f6ad810938dafc2e98c77b652c773713d58cb2f960962c52f301b0df80

Threat Level: Known bad

The file 2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid was found to be: Known bad.

Malicious Activity Summary

bootkit persistence upx

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

UPX packed file

Writes to the Master Boot Record (MBR)

Drops file in Program Files directory

Unsigned PE

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 16:03

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 16:03

Reported

2024-06-04 16:05

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\JiaRong\JiaRsoft.jrs C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
File created C:\Program Files\JiaRong\JiaRjishu.jrs C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B4AF4881-7230-4AE0-8D3A-02F96F339454}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60EB191F-5E63-41E7-807F-C66EC7A8EF26}\ = "IGRExportOption" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4018F953-1BFE-441E-8A04-DC8BA1FF060E}\6.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E66EBBF5-ED8D-44E7-8A6C-E6579ADCC7D4}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CA0A5CBE-7EEC-44FD-ABFD-FC65BFED8618} C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FA44042-1421-46DE-9ACA-A44753FF06C6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23F65787-D22B-4CA6-BA49-D22B63CA353A}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77FD1006-7067-41FF-A712-0F356A6ACE8C}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE08C5A0-22B5-4664-9DAA-4BB97C2C0771}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBF161F0-F347-441A-9C0D-0ACA7824793B}\ = "IGRE2CellOption" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C2FC87F-12F8-4A09-8A4A-792671C03C74}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2564DCE8-FEDB-4EB6-B7F9-5026F7F1041E}\ = "_IGRDisplayViewerEvents" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{07120975-B963-4F85-9B4D-0AC979FEBB5D}\ = "IGRObject" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C04A6148-7511-41EF-8062-BD89A0A92D40}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72A79692-2F9E-4FEC-92CC-6B4A7375A3D6}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60EB191F-5E63-41E7-808F-C66EC7A8EF26}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4AA885F-AF9C-4032-A65A-F3DFD458C289}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0574ABEB-B0DA-465D-9EB7-286C00F3628F}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23F65787-D22B-4CA6-BA49-D22B63CA353A}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1C0E90D-B75A-4FFD-A542-54C9E44785A6}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0574ABEB-B0DA-465D-9EB7-286C00F3628F}\ = "IGRPrintViewer" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FC1D3A0-693F-486E-BDF3-02E98F50F9F3} C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{42F6AF5F-5FC4-4F44-9812-1FBD9224CE2C}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C765E825-5F52-44CB-AAB6-FA89376DA4C0}\ = "IGRColumnSection" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77FD1006-7067-41FF-A712-0F356A6ACE8C}\ = "IGRSection" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E66EBBF5-ED8D-44E7-8A6C-E6579ADCC7D4}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39A2C13A-D695-44BD-8339-A94FA64CB62B}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2CC2C43-CF42-4E38-BDBB-5C04DF11793F}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95EB847D-6550-4FC7-A123-DE050E0328AA}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gregn.GRDisplayViewer.6\ = "Grid++Report DisplayViewer 6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CA58CB2-2AD1-4ad0-B3CC-5F5C000BBDEE}\TypeLib\ = "{4018F953-1BFE-441e-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3112650-36D2-4928-9D6C-C0A21CCC1EBA}\ = "IGRCrossTab" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60EB191F-5E63-41E7-808F-C66EC7A8EF26} C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{488B2328-67C0-42D1-A133-303FF60D8AE2}\ = "IGRGroups" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3BB506AB-425B-43B0-BC82-28A61FCCF686}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{273631DD-1CAC-49E9-92EE-584F48921A1E}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77FD1006-7067-41FF-A712-0F356A6ACE8C} C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53E18537-559D-4EF2-94C3-47A1EF38100F}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E5561733-9CD9-4D47-AE6B-3CB10A3D6772}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F623A5E8-4AE4-494E-975B-3C5404428625}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DABF9AD-2396-4C11-BFD7-A5EE39772954}\ = "IGRFreeGridRow" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28845384-ED9F-4D2E-986E-D52AC37A108F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C04A6148-7511-41EF-8062-BD89A0A92D40} C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C04A6148-7500-41EF-8062-BD89A0A92D40}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FA44042-1421-46DE-9ACA-A44753FF06C6}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BB12AEBD-5839-4A5E-9944-65B6798381C8}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3BB506AB-425B-43B0-BC82-28A61FCCF686}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD0A6964-D013-4DB6-96C4-5B1DE0DB8F1C} C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2564DCE8-FEDB-4EB6-B7F9-5026F7F1041E}\ = "_IGRDisplayViewerEvents" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCDB44D7-4E0B-4EB6-A1E2-092689E8A482}\ = "IGRBorder" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C04A6143-7500-41EF-8062-BD89A0A92D40}\ = "IGRShapeBox" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4AA885F-AF9C-4032-A65A-F3DFD458C289}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F803AE1D-B578-490A-A1FE-38976AD2B625}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B4AF4881-7230-4AE0-8D3A-02F96F339454}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C04A6143-7500-41EF-8062-BD89A0A92D40}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72A79692-2F9E-4FEC-92CC-6B4A7375A3D6}\ = "IGRColumn" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B5EA181-A38D-4f42-88B2-6AF74CF6D6C0}\AppID = "{4018F953-1BFE-441e-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A246AC9-1715-40B6-A483-DE9F3E8DA43C}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDAA7F5B-E100-49B7-93F2-6B66FC93BE55}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53E18537-559D-4EF2-94C3-47A1EF38100F}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5EB6E1E6-00B9-4469-AB22-EE4375D70E39}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gregn.GridppReport\CurVer\ = "gregn.GridppReport.6" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F803AE1D-B578-490A-A1FE-38976AD2B625}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{42F6AF5F-5FC4-4F44-9812-1FBD9224CE2C}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Program Files\JiaRong\JiaRjishu.jrs

MD5 259c1da17b442ac2f27ea1ff4625e7d3
SHA1 54437d7ce0fc459ed603dc8709254c6971cd34e0
SHA256 6272c686ea0209fe829ddaad0b9af8fbc253d521dbd7e84a1216c217a2f93c9a
SHA512 75281e8dcb997c28a5c864822fe0f984a4bb7ee7c1ca48400250184b7fdaddc4d23bdc601fc7fc42e214b7721931231635380398918631d0adf454a97f8e8796

memory/2544-6-0x0000000010000000-0x0000000010917000-memory.dmp

memory/2544-12-0x0000000010000000-0x0000000010917000-memory.dmp

memory/2544-13-0x0000000010000000-0x0000000010917000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 16:03

Reported

2024-06-04 16:05

Platform

win7-20240221-en

Max time kernel

141s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\JiaRong\JiaRjishu.jrs C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
File created C:\Program Files\JiaRong\JiaRsoft.jrs C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{39A2C13A-D695-44BD-8339-A94FA64CB62B}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53E18537-559D-4EF2-94C3-47A1EF38100F}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A246AC9-1715-40B6-A483-DE9F3E8DA43C}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93CD76F7-5439-437F-8FA5-A650F2CA773C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D1E02B3-E1BD-4C84-95F8-BB19BBB481F0} C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F00CE27D-D1E3-4EF6-9877-BF3233EBF551}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9364159-6AED-4f9c-8BAF-D7C7ED6160A8}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7FD5DC62-DED0-4138-9C48-55F0A0FE7B66}\ProgID C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28845384-ED9F-4D2E-986E-D52AC37A108F}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9E920A1-C722-4A81-9FCF-4D5EBFFA21F4}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77FD1006-7067-41FF-A712-0F356A6ACE8C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B4AF4881-7230-4AE0-8D3A-02F96F339454}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5C2FC87F-12F8-4A09-8A4A-792671C03C74}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{95EB847D-6550-4FC7-A123-DE050E0328AA}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60EB191F-5E63-41E7-808F-C66EC7A8EF26} C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{530A8E53-DFD5-4B95-A4F3-636E00D801D8}\ = "IGRBarcode" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{530A8E53-DFD5-4B95-A4F3-636E00D801D8}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5F9D573A-8350-4A94-BB9F-2D0FA787EC7C}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36971202-D715-4AFC-83D4-7C0DDD8872E8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCDB44D7-4E0B-4EB6-A1E2-092689E8A482} C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F82DF93F-5FF2-40A6-B50B-016666EC08CA}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BCB27BB-9750-4B28-9384-77801FB0D4EB} C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B5EA181-A38D-4f42-88B2-6AF74CF6D6C0}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7FD5DC62-DED0-4138-9C48-55F0A0FE7B66}\TypeLib\ = "{4018F953-1BFE-441e-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{04CEA260-DD00-4954-A81F-F0A201343CB9} C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE08C5A0-22B5-4664-9DAA-4BB97C2C0771}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gregn.GRPrintViewer.6 C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CA0A5CBE-7EEC-44FD-ABFD-FC65BFED8618} C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CB11F828-A97B-4BC3-9B7A-9D2DDEB1C229}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E66EBBF5-ED8D-44E7-8A6C-E6579ADCC7D4} C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AACDAA8B-5EBB-4CC7-BCB9-C300FE7184A5} C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE08C5A0-22B5-4664-9DAA-4BB97C2C0771}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08513FC1-CCCE-4603-8DD1-35BA1CA8D1CD}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5C2FC87F-12F8-4A09-8A4A-792671C03C74}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gregn.GRDisplayViewer.6\ = "Grid++Report DisplayViewer 6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44CBB5DE-5AFB-4c3d-8F3F-0F70CA5372AD}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F803AE1D-B578-490A-A1FE-38976AD2B625}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCDB44D7-4E0B-4EB6-A1E2-092689E8A482}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A246AC9-1715-40B6-A483-DE9F3E8DA43C} C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C04A6143-7500-41EF-8062-BD89A0A92D40} C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53E18537-559D-4EF2-94C3-47A1EF38100F}\ = "IGRReportSection" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5EB6E1E6-00B9-4469-AB22-EE4375D70E39}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gregn.GridppReport C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B5EA181-A38D-4f42-88B2-6AF74CF6D6C0}\ProgID C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2564DCE8-FEDB-4EB6-B7F9-5026F7F1041E}\ = "_IGRDisplayViewerEvents" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08513FC1-CCCE-4603-8DD1-35BA1CA8D1CD}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{60EB191F-5E63-41E7-808F-C66EC7A8EF26} C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gregn.GRPrintViewerProps C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D1E02B3-E1BD-4C84-95F8-BB19BBB481F0}\ = "IGRChartAxis" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{60EB191F-5E63-41E7-807F-C66EC7A8EF26} C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{36971202-D715-4AFC-83D4-7C0DDD8872E8}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4018F953-1BFE-441e-8A04-DC8BA1FF060E} C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4708B2F-DC00-4EF6-9559-A5DD9E86047C}\ = "IGRFont" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FC1D3A0-693F-486E-BDF3-02E98F50F9F3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBF161F0-F347-441A-9C0D-0ACA7824793B}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF39550B-2A23-418A-ACEC-812C70EA5A62}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C56923D-4012-4D28-8283-1B294C5C2A06}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CDAA7F5B-E100-49B7-93F2-6B66FC93BE55} C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B4AF4881-7230-4AE0-8D3A-02F96F339454}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01056F48-F4AB-4D9F-BE45-614F3313717D}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4AA885F-AF9C-4032-A65A-F3DFD458C289}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{330F80F5-4568-4F70-BFCB-683D3B90FEBB}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCDB44D7-4E0B-4EB6-A1E2-092689E8A482}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04CEA260-DD00-4954-A81F-F0A201343CB9}\TypeLib\Version = "6.0" C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_11e7727bd92cd8706e4c58f6ca0a2870_hacktools_icedid.exe"

Network

N/A

Files

\Program Files\JiaRong\JiaRjishu.jrs

MD5 259c1da17b442ac2f27ea1ff4625e7d3
SHA1 54437d7ce0fc459ed603dc8709254c6971cd34e0
SHA256 6272c686ea0209fe829ddaad0b9af8fbc253d521dbd7e84a1216c217a2f93c9a
SHA512 75281e8dcb997c28a5c864822fe0f984a4bb7ee7c1ca48400250184b7fdaddc4d23bdc601fc7fc42e214b7721931231635380398918631d0adf454a97f8e8796

memory/2144-5-0x0000000010000000-0x0000000010917000-memory.dmp

memory/2144-10-0x0000000010000000-0x0000000010917000-memory.dmp

memory/2144-11-0x0000000010000000-0x0000000010917000-memory.dmp

memory/2144-13-0x0000000010000000-0x0000000010917000-memory.dmp