f0968c00c9c3193e8a00176e437746d976e6cbae61c6af849387ed5842a220a7

General

Target

2024-06-12_980861bf5d3964957725482dcc70c8b7_icedid.exe
Size

4.2MB
MD5

980861bf5d3964957725482dcc70c8b7
SHA1

7ba8c5464b35804149bd7b76dcc3387955bd2e9e
SHA256

f0968c00c9c3193e8a00176e437746d976e6cbae61c6af849387ed5842a220a7
SHA512

a69a10ecadc0cf9eca07a74c72b977c3a335584437f30aca6b4bd5329b6552b26a0366e852d0db6fbc04087864169883328554cadc0e74e1089cc0f89f54922a
SSDEEP

49152:FJxfgcUy4Z/NWJjd48rJS8/B90ozghlGJ7jsrvHA1:FJBgcUy4Z/NWX//M47jqK

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PndcdNcOhxgnlYkeiEQe\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\PndcdNcOhxgnlYkeiEQe"	load.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	2024-06-12_980861bf5d3964957725482dcc70c8b7_icedid.exe

Deletes itself 1 IoCs

pid	Process
2092	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
396	load.exe

Loads dropped DLL 7 IoCs

pid	Process
396	load.exe
396	load.exe
396	load.exe
396	load.exe
396	load.exe
396	load.exe
396	load.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\ucrtbased.dll	2024-06-12_980861bf5d3964957725482dcc70c8b7_icedid.exe
File created	C:\Windows\vcruntime140_1d.dll	2024-06-12_980861bf5d3964957725482dcc70c8b7_icedid.exe
File created	C:\Windows\vcruntime140d.dll	2024-06-12_980861bf5d3964957725482dcc70c8b7_icedid.exe
File created	C:\Windows\czb3.sys	2024-06-12_980861bf5d3964957725482dcc70c8b7_icedid.exe
File created	C:\Windows\load.exe	2024-06-12_980861bf5d3964957725482dcc70c8b7_icedid.exe
File created	C:\Windows\msvcp140d.dll	2024-06-12_980861bf5d3964957725482dcc70c8b7_icedid.exe
File created	C:\Windows\start.bat	2024-06-12_980861bf5d3964957725482dcc70c8b7_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2880	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	2024-06-12_980861bf5d3964957725482dcc70c8b7_icedid.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
396	load.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1660	powercfg.exe
Token: SeCreatePagefilePrivilege	1660	powercfg.exe
Token: SeShutdownPrivilege	1660	powercfg.exe
Token: SeCreatePagefilePrivilege	1660	powercfg.exe
Token: SeLoadDriverPrivilege	396	load.exe
Token: SeDebugPrivilege	2880	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4532	2024-06-12_980861bf5d3964957725482dcc70c8b7_icedid.exe
4532	2024-06-12_980861bf5d3964957725482dcc70c8b7_icedid.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 1456	4532	2024-06-12_980861bf5d3964957725482dcc70c8b7_icedid.exe	82
PID 4532 wrote to memory of 1456	4532	2024-06-12_980861bf5d3964957725482dcc70c8b7_icedid.exe	82
PID 4532 wrote to memory of 1456	4532	2024-06-12_980861bf5d3964957725482dcc70c8b7_icedid.exe	82
PID 1456 wrote to memory of 1660	1456	cmd.exe	83
PID 1456 wrote to memory of 1660	1456	cmd.exe	83
PID 1456 wrote to memory of 1660	1456	cmd.exe	83
PID 1456 wrote to memory of 396	1456	cmd.exe	84
PID 1456 wrote to memory of 396	1456	cmd.exe	84
PID 1456 wrote to memory of 2880	1456	cmd.exe	85
PID 1456 wrote to memory of 2880	1456	cmd.exe	85
PID 1456 wrote to memory of 2880	1456	cmd.exe	85
PID 4532 wrote to memory of 2092	4532	2024-06-12_980861bf5d3964957725482dcc70c8b7_icedid.exe	87
PID 4532 wrote to memory of 2092	4532	2024-06-12_980861bf5d3964957725482dcc70c8b7_icedid.exe	87
PID 4532 wrote to memory of 2092	4532	2024-06-12_980861bf5d3964957725482dcc70c8b7_icedid.exe	87

C:\Users\Admin\AppData\Local\Temp\2024-06-12_980861bf5d3964957725482dcc70c8b7_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_980861bf5d3964957725482dcc70c8b7_icedid.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\start.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg /h off
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- - C:\Windows\load.exe
    load.exe czb3.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:396
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
  2⤵
  - Deletes itself
  PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs

Filesize
261B

MD5
f2fc4cf5d70ab42f975d664bf846afea

SHA1
d1c5bd452aa2b9c2c77aaf06d8533c01ae80c9a8

SHA256
ccc2abbe7bb6d104353a85e764eb82a29e345f1b01bf601f3a0d30ffd7e6a4ea

SHA512
35cfccc6b38dde37c1b15fa78c4867457da9b31223013e3af77e31f308ec6b2c4e555feec79d62e009dde66ec779c44f519b9d25a0b25e8bf9f551a64f6ec6d8

Download Submit
C:\Windows\VCRUNTIME140D.dll

Filesize
128KB

MD5
f57fb935a9a76e151229f547c2204bba

SHA1
4021b804469816c3136b40c4ceb44c8d60ed15f5

SHA256
a77277af540d411ae33d371cc6f54d7b0a1937e0c14db7666d32c22fc5dca9c0

SHA512
cd9fc3fc460eba6a1b9f984b794940d28705ecb738df8595c2341abe4347141db14a9ff637c9f902e8742f5c48bbb61da7d5e231cc5b2bad2e8746c5a3e3e6ed

Download Submit
C:\Windows\czb3.sys

Filesize
17KB

MD5
a055a07974149fbcd9706a1f725a2607

SHA1
1fad84207ef40d251a8e7969d5fa2a400dfda3ee

SHA256
fc1be891c724d3aa50a435ade77793f5dd0a955b431902a61ffb6540455e3021

SHA512
34d39274e8d8b411a651a86e60cf2c1d07aae49291a16758f59ff76aad7fa93f7294976d1614ebf414813b1de0d4582d285b42c99565776a3800fa2874c4a841

Download Submit
C:\Windows\load.exe

Filesize
556KB

MD5
d5457ab33b79357d0c0acaa17119a44d

SHA1
572d3003af20308bf13bcddbbe4d85c9dbc6de35

SHA256
3dbf0e5076a5a3997f89e9e57d7452cc7f9d1dd131a16da44cdd288ca791eccb

SHA512
90e752d1c0dd4f6b51df843055dc3ab31db3f10d53f2b608bade1048e8d5f1dd2f8398acd1f2e54eedea1103291ae56918c50e0902af1f74ab0a39e136826c62

Download Submit
C:\Windows\msvcp140d.dll

Filesize
977KB

MD5
37dc8cc78ecbcd12f27e665b70baefa7

SHA1
46fb9910cc10c4c0c52b547700e1950ce233be89

SHA256
b53add5b7bd6bb11fecc7be159885d0b75736d02423c11edc6eeb6f4bea80f6c

SHA512
078b0b408510c07eac85518f03a9e3fac8e4c8e2e36ccb8cd26962498c7f5bedbd79f7034af3ebfef9984f85d81c9032446b1b5c156b2174a769657ea0ab60a1

Download Submit
C:\Windows\start.bat

Filesize
266B

MD5
4d0a20c9d156c365ae67928c3e4f2620

SHA1
6243de25eaa22c99e001bcde0b86b2c5177bf539

SHA256
6a6b71c66dac1c89bbf63dc840c2e49ac0487a67e81a69999837d8310db9c5f2

SHA512
b8a2fdb28300e64609455f05bb90c488caa8be9434f523d331618296d04d5da20dd8d26952f45c321cf3d41328a1ce88486368755a1a5aa0e66076c01a7003f3

Download Submit
C:\Windows\ucrtbased.dll

Filesize
1.7MB

MD5
c3130cfb00549a5a92da60e7f79f5fc9

SHA1
56c2e8fb1af609525b0f732bb67b806bddab3752

SHA256
eee42eabc546e5aa760f8df7105fcf505abffcb9ec4bf54398436303e407a3f8

SHA512
29bab5b441484bdfac9ec21cd4f0f7454af05bfd7d77f7d4662aeaeaa0d3e25439d52aa341958e7896701546b4a607d3c7a32715386c78b746dfae8529a70748

Download Submit
C:\Windows\vcruntime140_1d.dll

Filesize
58KB

MD5
868fd5f1ab2d50204c6b046fe172d4b8

SHA1
f2b43652ef62cba5f6f04f32f16b6b89819bc978

SHA256
104e5817ece4831e9989d8937c8dfe55d581db6b5bc8e22a1b492ca872eda70e

SHA512
402a0402b318539f26eac2fcd890700d2103f8eabd4b5289b64e2cdb5c30f4bb2b18f342c8a1ecc2cafb3f1d4258387a5300f9a86056f27b176b3fe995f9fc9d

Download Submit
memory/396-28-0x00007FF616D70000-0x00007FF616E2C000-memory.dmp

Filesize
752KB

Download
memory/396-18-0x00007FF616D70000-0x00007FF616E2C000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads