Analysis
-
max time kernel
123s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/06/2024, 05:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe
Resource
win7-20231129-en
windows7-x64
20 signatures
150 seconds
General
-
Target
2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe
-
Size
2.0MB
-
MD5
c2bf71e3c13abb482d2ee2b7e40df6d1
-
SHA1
b0241319ee946516286f4a000f2e80e5165f0685
-
SHA256
0034487fa6cb815fc335c22779783f8b3d08081bfda18418f71a9b3ffc00cce7
-
SHA512
d30607ab8d76993228387c550a8226256341d4de777011f67fe8423619d3158d2fd0e50ab7d9f2286597864fcef8c900515638d7155924de6b42aea4cf7e0ed4
-
SSDEEP
24576:FWCWFIM+WKbzai0DnAo6nbq+quWNOIzL0Jw9+be0FUps6HpwBkvsP:wghhbMuWNOIzLzae0FJBkUP
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 39 IoCs
resource yara_rule behavioral2/memory/5084-19-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-4-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-20-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-21-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-16-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-15-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-8-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-18-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-7-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-3-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-23-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-24-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-25-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-26-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-27-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-29-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-30-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-32-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-33-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-34-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-35-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-38-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-39-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-42-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-45-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-47-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-46-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-53-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-56-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-57-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-59-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-61-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-63-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-65-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-67-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-69-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-72-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-73-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5084-76-0x0000000002610000-0x00000000036CA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 39 IoCs
resource yara_rule behavioral2/memory/5084-19-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-4-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-20-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-21-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-16-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-15-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-8-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-18-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-7-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-3-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-23-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-24-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-25-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-26-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-27-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-29-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-30-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-32-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-33-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-34-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-35-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-38-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-39-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-42-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-45-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-47-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-46-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-53-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-56-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-57-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-59-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-61-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-63-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-65-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-67-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-69-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-72-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-73-0x0000000002610000-0x00000000036CA000-memory.dmp UPX behavioral2/memory/5084-76-0x0000000002610000-0x00000000036CA000-memory.dmp UPX -
resource yara_rule behavioral2/memory/5084-19-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-4-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-20-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-21-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-16-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-15-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-8-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-18-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-7-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-3-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-23-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-24-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-25-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-26-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-27-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-29-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-30-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-32-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-33-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-34-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-35-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-38-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-39-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-42-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-45-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-47-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-46-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-53-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-56-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-57-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-59-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-61-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-63-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-65-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-67-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-69-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-72-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-73-0x0000000002610000-0x00000000036CA000-memory.dmp upx behavioral2/memory/5084-76-0x0000000002610000-0x00000000036CA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened (read-only) \??\N: 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened (read-only) \??\S: 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened (read-only) \??\Y: 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened (read-only) \??\E: 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened (read-only) \??\G: 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened (read-only) \??\H: 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened (read-only) \??\J: 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened (read-only) \??\O: 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened (read-only) \??\U: 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened (read-only) \??\X: 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened (read-only) \??\R: 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened (read-only) \??\V: 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened (read-only) \??\Z: 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened (read-only) \??\K: 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened (read-only) \??\L: 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened (read-only) \??\M: 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened (read-only) \??\P: 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened (read-only) \??\Q: 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened (read-only) \??\T: 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened (read-only) \??\W: 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened for modification F:\autorun.inf 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e574381 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe File opened for modification C:\Windows\SYSTEM.INI 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe Token: SeDebugPrivilege 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5084 wrote to memory of 788 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 9 PID 5084 wrote to memory of 792 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 10 PID 5084 wrote to memory of 1016 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 13 PID 5084 wrote to memory of 2576 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 42 PID 5084 wrote to memory of 2596 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 43 PID 5084 wrote to memory of 2684 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 46 PID 5084 wrote to memory of 3476 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 56 PID 5084 wrote to memory of 3604 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 57 PID 5084 wrote to memory of 3800 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 58 PID 5084 wrote to memory of 3896 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 59 PID 5084 wrote to memory of 3956 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 60 PID 5084 wrote to memory of 4040 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 61 PID 5084 wrote to memory of 4104 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 62 PID 5084 wrote to memory of 2096 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 73 PID 5084 wrote to memory of 1692 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 74 PID 5084 wrote to memory of 3436 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 78 PID 5084 wrote to memory of 788 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 9 PID 5084 wrote to memory of 792 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 10 PID 5084 wrote to memory of 1016 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 13 PID 5084 wrote to memory of 2576 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 42 PID 5084 wrote to memory of 2596 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 43 PID 5084 wrote to memory of 2684 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 46 PID 5084 wrote to memory of 3476 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 56 PID 5084 wrote to memory of 3604 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 57 PID 5084 wrote to memory of 3800 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 58 PID 5084 wrote to memory of 3896 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 59 PID 5084 wrote to memory of 3956 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 60 PID 5084 wrote to memory of 4040 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 61 PID 5084 wrote to memory of 4104 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 62 PID 5084 wrote to memory of 2096 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 73 PID 5084 wrote to memory of 1692 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 74 PID 5084 wrote to memory of 3436 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 78 PID 5084 wrote to memory of 3428 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 82 PID 5084 wrote to memory of 3524 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 83 PID 5084 wrote to memory of 788 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 9 PID 5084 wrote to memory of 792 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 10 PID 5084 wrote to memory of 1016 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 13 PID 5084 wrote to memory of 2576 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 42 PID 5084 wrote to memory of 2596 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 43 PID 5084 wrote to memory of 2684 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 46 PID 5084 wrote to memory of 3476 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 56 PID 5084 wrote to memory of 3604 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 57 PID 5084 wrote to memory of 3800 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 58 PID 5084 wrote to memory of 3896 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 59 PID 5084 wrote to memory of 3956 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 60 PID 5084 wrote to memory of 4040 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 61 PID 5084 wrote to memory of 4104 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 62 PID 5084 wrote to memory of 2096 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 73 PID 5084 wrote to memory of 1692 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 74 PID 5084 wrote to memory of 3428 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 82 PID 5084 wrote to memory of 3524 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 83 PID 5084 wrote to memory of 788 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 9 PID 5084 wrote to memory of 792 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 10 PID 5084 wrote to memory of 1016 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 13 PID 5084 wrote to memory of 2576 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 42 PID 5084 wrote to memory of 2596 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 43 PID 5084 wrote to memory of 2684 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 46 PID 5084 wrote to memory of 3476 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 56 PID 5084 wrote to memory of 3604 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 57 PID 5084 wrote to memory of 3800 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 58 PID 5084 wrote to memory of 3896 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 59 PID 5084 wrote to memory of 3956 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 60 PID 5084 wrote to memory of 4040 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 61 PID 5084 wrote to memory of 4104 5084 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe 62 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1016
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2576
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2596
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2684
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-08_c2bf71e3c13abb482d2ee2b7e40df6d1_icedid.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5084
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3604
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3800
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3896
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3956
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4040
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4104
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2096
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1692
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3436
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3428
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3524
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD52a9ec069a23a1eb728253a30d9cca974
SHA1262fa271286f306860d6fc9feec5eaf8f1caacbd
SHA256f70ca8e5fbb302902e424baac72d4a6dd2ace41e29dbdbde97a5b4f8dc3077ad
SHA512e67e02743267ff89d8267ee1adc786317ff0483447fbd16480a36ac865c569e1b9291c0aef1ff4fffd630ea229d18ce7e82906b5b07ba4584a7c4b81146f65fa