Analysis Overview
SHA256
dc237dea492d55204bc76155af340a73563c36a7c6d339dbb7402b605aa5c8de
Threat Level: Shows suspicious behavior
The file 2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops file in Program Files directory
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-12 18:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 18:43
Reported
2024-06-12 18:45
Platform
win7-20240419-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Reference\several.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Reference\several.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe | N/A |
| File opened for modification | C:\Program Files\Reference\several.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe | N/A |
| N/A | N/A | C:\Program Files\Reference\several.exe | N/A |
| N/A | N/A | C:\Program Files\Reference\several.exe | N/A |
| N/A | N/A | C:\Program Files\Reference\several.exe | N/A |
| N/A | N/A | C:\Program Files\Reference\several.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1992 wrote to memory of 2404 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe | C:\Program Files\Reference\several.exe |
| PID 1992 wrote to memory of 2404 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe | C:\Program Files\Reference\several.exe |
| PID 1992 wrote to memory of 2404 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe | C:\Program Files\Reference\several.exe |
| PID 1992 wrote to memory of 2404 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe | C:\Program Files\Reference\several.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe"
C:\Program Files\Reference\several.exe
"C:\Program Files\Reference\several.exe" "33201"
Network
Files
\Program Files\Reference\several.exe
| MD5 | 45a664ce6614a8152a693a25a2e5cbc5 |
| SHA1 | d6bc3d6bf232991ce22d51981489e23170de0329 |
| SHA256 | 653287dcd323c9ec9e1a55e8637fd7ab026f16e592a1d801d1530734420fcf32 |
| SHA512 | 84e40fb13830c7023fcd2bbdb4480816e664b97b3537b93a096c529a1286b8178f1d4a747a34ada396bd8c12bee368a01b3b60325d6fb8ce771abde5715ad3b6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 18:43
Reported
2024-06-12 18:45
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
58s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\several\structures.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\several\structures.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe | N/A |
| File opened for modification | C:\Program Files\several\structures.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe | N/A |
| N/A | N/A | C:\Program Files\several\structures.exe | N/A |
| N/A | N/A | C:\Program Files\several\structures.exe | N/A |
| N/A | N/A | C:\Program Files\several\structures.exe | N/A |
| N/A | N/A | C:\Program Files\several\structures.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 372 wrote to memory of 4288 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe | C:\Program Files\several\structures.exe |
| PID 372 wrote to memory of 4288 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe | C:\Program Files\several\structures.exe |
| PID 372 wrote to memory of 4288 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe | C:\Program Files\several\structures.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_1461afbb436e1b7d7682a61d45f6e6f5_icedid.exe"
C:\Program Files\several\structures.exe
"C:\Program Files\several\structures.exe" "33201"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Program Files\several\structures.exe
| MD5 | 2430bd4cfe45b9f8080dba12e8579ef6 |
| SHA1 | 1c4d90f5f8e3bff9c996ceb77837aa9185a310b9 |
| SHA256 | 18d47d5359d814497a0a8e6bb3c2aacefdbee7e435c2f8e4f4bc48af6f410af3 |
| SHA512 | 93b5152199b42eab51fde199a2b2e9cf180e8be8452aba504b77f84b8360004fb9b1a7eb85774340e188ca2af32bac685a2e7f9081efd11055848d4cf1d68af9 |