f1a13531dc247234aa957fbed7234c716fb51f8b93ad0ac876916652c96dc303

Analysis

max time kernel
93s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 05:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-12_ae8b074b994405f6483f70e7fd31243f_icedid.exe
Size

5.4MB
MD5

ae8b074b994405f6483f70e7fd31243f
SHA1

9ff48d2e25769fed3ef06de3e4b4e32ae25d2469
SHA256

f1a13531dc247234aa957fbed7234c716fb51f8b93ad0ac876916652c96dc303
SHA512

d45225540dc14c3314eef27ab89f9424ba166b481ab9f92ceaab49f6d5e9fa5d0a25f7b6a17636701e121233cb841aa127692ca79e6f5adeb1ed5ebc328321fa
SSDEEP

98304:T8dHdyIUmsPUeeczoxUGm+cKAeIpFkKTpTmaFbh4kp1uHbOTVJwa:QOIUPUpUGm+cJmGbh7IHCrwa

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4256	FlashRegistrar.exe

Loads dropped DLL 2 IoCs

pid	Process
4256	FlashRegistrar.exe
3916	2024-06-12_ae8b074b994405f6483f70e7fd31243f_icedid.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	2024-06-12_ae8b074b994405f6483f70e7fd31243f_icedid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	2024-06-12_ae8b074b994405f6483f70e7fd31243f_icedid.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\ = "Shockwave Flash Object"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CPE5F73.tmp"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID\ = "ShockwaveFlash.ShockwaveFlash.10"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CPE5F73.tmp\\Flash.ocx"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ = "_IShockwaveFlashEvents"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID	FlashRegistrar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mfp	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\ = "Shockwave Flash Object"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\ = "Macromedia Flash Factory Object"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ = "Shockwave Flash Object"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.mfp	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sol\Content Type = "text/plain"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version\ = "1.0"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\ = "Shockwave Flash"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\ = "Shockwave Flash Object"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CPE5F73.tmp\\Flash.ocx"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\ = "Shockwave Flash Object"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.spl	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer\ = "ShockwaveFlash.ShockwaveFlash.10"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"	FlashRegistrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	FlashRegistrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0	FlashRegistrar.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3916	2024-06-12_ae8b074b994405f6483f70e7fd31243f_icedid.exe
3916	2024-06-12_ae8b074b994405f6483f70e7fd31243f_icedid.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 4256	3916	2024-06-12_ae8b074b994405f6483f70e7fd31243f_icedid.exe	79
PID 3916 wrote to memory of 4256	3916	2024-06-12_ae8b074b994405f6483f70e7fd31243f_icedid.exe	79
PID 3916 wrote to memory of 4256	3916	2024-06-12_ae8b074b994405f6483f70e7fd31243f_icedid.exe	79

C:\Users\Admin\AppData\Local\Temp\2024-06-12_ae8b074b994405f6483f70e7fd31243f_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_ae8b074b994405f6483f70e7fd31243f_icedid.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Users\Admin\AppData\Local\Temp\CPE5F73.tmp\FlashRegistrar.exe
  C:\Users\Admin\AppData\Local\Temp\CPE5F73.tmp\FlashRegistrar.exe R C:\Users\Admin\AppData\Local\Temp\CPE5F73.tmp\Flash.ocx
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CPE5F73.tmp\Flash.ocx

Filesize
3.8MB

MD5
43c6acdfb92a18c3e516e6bd5f1acd51

SHA1
da52ab3e629720adf6c6a3a8f4d47d777a2425a7

SHA256
e87aec8f4fd23c6e2be44b504804e011154b80dcde5cbf9888d4660b0436a889

SHA512
58b86d2609b81fee47bfe956b1e62d9a5b959736af41a8ad568121d9b60926fc142c79190a8e234fa3c8724e61e04147d6b9ca4fdee57ef6f4579f15b2951722

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPE5F73.tmp\FlashRegistrar.exe

Filesize
63KB

MD5
ed4bb3a88c0d63c029126e6e5cba625e

SHA1
f6bbc2ee6079b006e5c811f1e0a1a36a8aafdebc

SHA256
0538bc97b726aa5a4c90705f0141eb86b26e240ea035ae4d96211f985d6220dd

SHA512
cda6b6adcdfc08f1846bbc55a514793960d7bebe792e3ac032ace2b83d1f00ebabcc69263ab66b1f8ed22487bedc6c816e795a66955f04da28a33621fe717a9e

Download Submit
memory/3916-8-0x0000000004620000-0x0000000004621000-memory.dmp

Filesize
4KB

Download
memory/3916-32-0x0000000004080000-0x0000000004082000-memory.dmp

Filesize
8KB

Download
memory/3916-31-0x0000000004080000-0x0000000004082000-memory.dmp

Filesize
8KB

Download
memory/3916-30-0x0000000004080000-0x0000000004082000-memory.dmp

Filesize
8KB

Download
memory/3916-29-0x0000000004080000-0x0000000004082000-memory.dmp

Filesize
8KB

Download
memory/3916-28-0x0000000004080000-0x0000000004082000-memory.dmp

Filesize
8KB

Download
memory/3916-27-0x0000000004080000-0x0000000004082000-memory.dmp

Filesize
8KB

Download
memory/3916-26-0x0000000004080000-0x0000000004082000-memory.dmp

Filesize
8KB

Download
memory/3916-25-0x0000000004080000-0x0000000004082000-memory.dmp

Filesize
8KB

Download
memory/3916-427-0x0000000004620000-0x0000000004621000-memory.dmp

Filesize
4KB

Download