Analysis Overview
SHA256
f836db159efca8826a4b8fa28619b71399d1bde1b35434d75a3617ed483b8631
Threat Level: Shows suspicious behavior
The file 2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Writes to the Master Boot Record (MBR)
Enumerates connected drives
Adds Run key to start application
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 19:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 19:39
Reported
2024-06-04 19:42
Platform
win10v2004-20240508-en
Max time kernel
133s
Max time network
129s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FEIQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe 1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6620960-3908-4FE6-B347-9744EEF0ABE2}\ = "CFQUi Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.Application | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4AB3843-3548-4e73-B99D-620DF075BB32}\TypeLib\ = "{83863943-2942-4480-83CF-CE99E5655801}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQRoot.1 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQUi\CurVer\ = "FeiQ.FQUi.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\ = "GifAnimator Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39AF7A0C-F38A-420F-9611-6C848375977B}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe\"" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.Application.1 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0525C8BE-6CCA-4AF7-B72A-1D81756978F0}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQData\ = "FQData Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.ClientObjectsModule.1\CLSID\ = "{A5CAC5D2-0527-414b-979F-0FAA325646CC}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator.1\ = "GifAnimator Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.Application\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5CAC5D2-0527-414b-979F-0FAA325646CC}\Programmable | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQMenu\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQUi.1\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6620960-3908-4FE6-B347-9744EEF0ABE2}\AppID = "{B6938C8A-42A7-40AE-A4A9-85EAC54FC8F8}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQData\CurVer | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQDataCollection.1 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B}\ProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B}\VersionIndependentProgID\ = "FeiQ.FQFolderBar" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88118872-FA84-4324-BD58-8A804ABB339D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1129492B-BE39-4F68-9FB2-954A15642CE6}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQData.1 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQRoot | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQMenu.1\ = "FQMenu Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97819BF3-8E21-477c-9162-5AED70E4155A}\AppID = "{B6938C8A-42A7-40AE-A4A9-85EAC54FC8F8}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQTools.1\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQUi | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe\"" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQTools\CurVer\ = "FeiQ.FQTools.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0525C8BE-6CCA-4AF7-B72A-1D81756978F0}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe\"" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6620960-3908-4FE6-B347-9744EEF0ABE2}\Programmable | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\HELPDIR\ = "C:\\Program Files\\feiq\\GifDll\\" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39AF7A0C-F38A-420F-9611-6C848375977B}\ = "FQBuddyCollection Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39AF7A0C-F38A-420F-9611-6C848375977B}\ProgID\ = "FeiQ.FQBuddyCollection.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQTools.1 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4AB3843-3548-4e73-B99D-620DF075BB32} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6620960-3908-4FE6-B347-9744EEF0ABE2}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddyCollection.1 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}\ = "FQBuddy Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.Application\ = "Application Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4AB3843-3548-4e73-B99D-620DF075BB32}\ = "FQData Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.ClientObjectsModule.1 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE8BCAB3-73D7-4316-872E-2C776302ECD4}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B6938C8A-42A7-40AE-A4A9-85EAC54FC8F8}\ = "FEIQ" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE8BCAB3-73D7-4316-872E-2C776302ECD4}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQMenu\ = "FQMenu Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddy.1 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddy.1\CLSID\ = "{78669512-A747-4933-8DEC-6C1196599BFB}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQTools\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddy\CurVer | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQTools.1\CLSID\ = "{1129492B-BE39-4F68-9FB2-954A15642CE6}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQData\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B76352A6-61E3-481a-A219-9B50DAB47F80}\ = "FQDataCollection Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4084,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=3444 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.161:443 | www.bing.com | tcp |
| NL | 23.62.61.161:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 161.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| N/A | 10.127.255.255:2425 | udp | |
| N/A | 255.255.255.255:2425 | udp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | e.feiq18.com | udp |
| CN | 180.97.238.45:80 | e.feiq18.com | tcp |
| N/A | 10.127.0.97:2425 | udp | |
| US | 8.8.8.8:53 | www.feiq18.com | udp |
| CN | 180.97.238.45:80 | www.feiq18.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | feiqupgrade.blog.sohu.com | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| CN | 60.13.97.138:80 | feiqupgrade.blog.sohu.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\feiq\feiq.ini
| MD5 | ad7812ebc6c6bf360977baac663a42f5 |
| SHA1 | 72844f6c194ffbbc2fb254e76951fe2cd4e479a5 |
| SHA256 | a7b8987fdcc95136c90be17665bb4b21d07f0270a427592eea6f4fc63422d9df |
| SHA512 | d5b4453e2df7121ade86df50e444abc27a9c4a9e72eaddf5f95c4befafe0e7829a0f63509c5cc7db7ba5e86e3efc85eac3b1da9c26499ad62362af6dff17c7e9 |
memory/4732-7-0x0000000000B7F000-0x0000000000B80000-memory.dmp
C:\Program Files\feiq\GifDll\ImageOle.dll
| MD5 | c653904916e99c2653bf3b339c734f05 |
| SHA1 | 6cb3cde5b5f7ffd76b0de150feb15801f705dd57 |
| SHA256 | a11cd7f420a737e8127012c24dc3fbce1b2e6c6c3425f2028c6171a7e8eb7785 |
| SHA512 | d4aa6713140d2391ee56352dc350e892ffc905843e74f1cdc99b0ce1645ec1d1ba4e990a8ee847928aabd10de0488f035c5df5e005ec7048c4f07d88d9082e6b |
memory/4732-16-0x0000000000400000-0x000000000158E000-memory.dmp
memory/4732-35-0x0000000000400000-0x000000000158E000-memory.dmp
memory/4732-100-0x0000000000400000-0x000000000158E000-memory.dmp
memory/4732-135-0x0000000000400000-0x000000000158E000-memory.dmp
memory/4732-143-0x0000000000400000-0x000000000158E000-memory.dmp
memory/4732-145-0x0000000000400000-0x000000000158E000-memory.dmp
memory/4732-146-0x0000000000400000-0x000000000158E000-memory.dmp
memory/4732-147-0x0000000000400000-0x000000000158E000-memory.dmp
memory/4732-150-0x0000000000400000-0x000000000158E000-memory.dmp
memory/4732-151-0x0000000000400000-0x000000000158E000-memory.dmp
memory/4732-152-0x0000000000400000-0x000000000158E000-memory.dmp
memory/4732-153-0x0000000000400000-0x000000000158E000-memory.dmp
memory/4732-154-0x0000000000400000-0x000000000158E000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 19:39
Reported
2024-06-04 19:42
Platform
win7-20240419-en
Max time kernel
126s
Max time network
126s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\FEIQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe 1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B76352A6-61E3-481a-A219-9B50DAB47F80}\Programmable | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B76352A6-61E3-481a-A219-9B50DAB47F80}\TypeLib\ = "{83863943-2942-4480-83CF-CE99E5655801}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE8BCAB3-73D7-4316-872E-2C776302ECD4} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQUi\CLSID\ = "{B6620960-3908-4FE6-B347-9744EEF0ABE2}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQMenu\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97819BF3-8E21-477c-9162-5AED70E4155A}\Programmable | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQCalendar\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97819BF3-8E21-477c-9162-5AED70E4155A}\ProgID\ = "FeiQ.FQMenu.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39AF7A0C-F38A-420F-9611-6C848375977B}\ = "FQBuddyCollection Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4AB3843-3548-4e73-B99D-620DF075BB32} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A5CAC5D2-0527-414b-979F-0FAA325646CC}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe\"" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE8BCAB3-73D7-4316-872E-2C776302ECD4}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe\"" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A5CAC5D2-0527-414b-979F-0FAA325646CC}\ProgID\ = "FeiQ.ClientObjectsModule.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQRoot | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}\VersionIndependentProgID\ = "FeiQ.FQBuddy" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1129492B-BE39-4F68-9FB2-954A15642CE6} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.Application\CurVer\ = "FeiQ.Application.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQData\CurVer | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.ClientObjectsModule.1\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddyCollection.1\ = "FQBuddyCollection Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQFolderBar\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39AF7A0C-F38A-420F-9611-6C848375977B} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B}\VersionIndependentProgID\ = "FeiQ.FQFolderBar" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE8BCAB3-73D7-4316-872E-2C776302ECD4}\ProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQFolderBar.1\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6620960-3908-4FE6-B347-9744EEF0ABE2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe\"" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQTools\ = "FQTools Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0525C8BE-6CCA-4AF7-B72A-1D81756978F0}\Programmable | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B76352A6-61E3-481a-A219-9B50DAB47F80}\ = "FQDataCollection Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A5CAC5D2-0527-414b-979F-0FAA325646CC}\ = "ClientObjectsModule Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A5CAC5D2-0527-414b-979F-0FAA325646CC}\Programmable | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddy\ = "FQBuddy Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B}\ = "FQFolderBar Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQCalendar.1 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\ = "GifAnimator Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\ = "{710993A2-4F87-41D7-B6FE-F5A20368465F}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39AF7A0C-F38A-420F-9611-6C848375977B}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}\ProgID\ = "FeiQ.FQBuddy.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B}\Programmable | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B76352A6-61E3-481a-A219-9B50DAB47F80} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97819BF3-8E21-477c-9162-5AED70E4155A} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97819BF3-8E21-477c-9162-5AED70E4155A}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1129492B-BE39-4F68-9FB2-954A15642CE6}\Programmable | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0525C8BE-6CCA-4AF7-B72A-1D81756978F0}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe\"" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B76352A6-61E3-481a-A219-9B50DAB47F80}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6620960-3908-4FE6-B347-9744EEF0ABE2}\ProgID\ = "FeiQ.FQUi.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQMenu | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddy.1 | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4AB3843-3548-4e73-B99D-620DF075BB32}\ProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.ClientObjectsModule.1\CLSID\ = "{A5CAC5D2-0527-414b-979F-0FAA325646CC}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQFolderBar | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88118872-FA84-4324-BD58-8A804ABB339D} | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88118872-FA84-4324-BD58-8A804ABB339D}\AppID = "{B6938C8A-42A7-40AE-A4A9-85EAC54FC8F8}" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQRoot.1\ = "FQRoot Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE8BCAB3-73D7-4316-872E-2C776302ECD4}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_dd5a5c9478d9fb781b197b46a972af9f_icedid_vidar.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.255.255:2425 | udp | |
| N/A | 255.255.255.255:2425 | udp | |
| N/A | 10.127.0.216:2425 | udp | |
| US | 8.8.8.8:53 | e.feiq18.com | udp |
| CN | 180.97.238.45:80 | e.feiq18.com | tcp |
| US | 8.8.8.8:53 | www.feiq18.com | udp |
| CN | 180.97.238.45:80 | www.feiq18.com | tcp |
| US | 8.8.8.8:53 | feiqupgrade.blog.sohu.com | udp |
| CN | 60.221.17.183:80 | feiqupgrade.blog.sohu.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\feiq\feiq.ini
| MD5 | ad7812ebc6c6bf360977baac663a42f5 |
| SHA1 | 72844f6c194ffbbc2fb254e76951fe2cd4e479a5 |
| SHA256 | a7b8987fdcc95136c90be17665bb4b21d07f0270a427592eea6f4fc63422d9df |
| SHA512 | d5b4453e2df7121ade86df50e444abc27a9c4a9e72eaddf5f95c4befafe0e7829a0f63509c5cc7db7ba5e86e3efc85eac3b1da9c26499ad62362af6dff17c7e9 |
memory/2116-7-0x0000000000B7F000-0x0000000000B80000-memory.dmp
\Program Files\feiq\GifDll\ImageOle.dll
| MD5 | c653904916e99c2653bf3b339c734f05 |
| SHA1 | 6cb3cde5b5f7ffd76b0de150feb15801f705dd57 |
| SHA256 | a11cd7f420a737e8127012c24dc3fbce1b2e6c6c3425f2028c6171a7e8eb7785 |
| SHA512 | d4aa6713140d2391ee56352dc350e892ffc905843e74f1cdc99b0ce1645ec1d1ba4e990a8ee847928aabd10de0488f035c5df5e005ec7048c4f07d88d9082e6b |
memory/2116-18-0x0000000000400000-0x000000000158E000-memory.dmp
memory/2116-21-0x0000000000400000-0x000000000158E000-memory.dmp
memory/2116-22-0x0000000000400000-0x000000000158E000-memory.dmp
memory/2116-25-0x0000000000400000-0x000000000158E000-memory.dmp
memory/2116-32-0x0000000000400000-0x000000000158E000-memory.dmp
memory/2116-39-0x0000000000400000-0x000000000158E000-memory.dmp
memory/2116-72-0x0000000000400000-0x000000000158E000-memory.dmp
memory/2116-82-0x0000000000400000-0x000000000158E000-memory.dmp
memory/2116-86-0x0000000000400000-0x000000000158E000-memory.dmp
memory/2116-90-0x0000000000400000-0x000000000158E000-memory.dmp
memory/2116-94-0x0000000000400000-0x000000000158E000-memory.dmp
memory/2116-99-0x0000000000400000-0x000000000158E000-memory.dmp
memory/2116-102-0x0000000000400000-0x000000000158E000-memory.dmp
memory/2116-153-0x0000000000400000-0x000000000158E000-memory.dmp