Analysis Overview
SHA256
a552cabeed8a539e38ed4636f3d3407052775387740b688866aaf93722ae92ce
Threat Level: Shows suspicious behavior
The file 2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Drops file in Program Files directory
Program crash
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-12 18:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 18:49
Reported
2024-06-12 18:51
Platform
win10v2004-20240226-en
Max time kernel
113s
Max time network
159s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe | N/A |
| File created | C:\Program Files\.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe | N/A |
Program crash
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe | N/A |
| N/A | N/A | C:\Program Files\.exe | N/A |
| N/A | N/A | C:\Program Files\.exe | N/A |
| N/A | N/A | C:\Program Files\.exe | N/A |
| N/A | N/A | C:\Program Files\.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1836 wrote to memory of 3472 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe | C:\Program Files\.exe |
| PID 1836 wrote to memory of 3472 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe | C:\Program Files\.exe |
| PID 1836 wrote to memory of 3472 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe | C:\Program Files\.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe"
C:\Program Files\.exe
"C:\Program Files\\.exe" "33201"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1836 -ip 1836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1836 -ip 1836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1096
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4828 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| GB | 216.58.201.106:443 | tcp | |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
Files
C:\Program Files\.exe
| MD5 | ec82406f2077c60bcca58efefc1a336a |
| SHA1 | 6e49133c90ed761accddab3ffdbeeb2dbe3f1634 |
| SHA256 | b4e669a3a13c1205684abd57f5aa3458fbcaaf3f7d1171aee05dbc22e4fefc1b |
| SHA512 | d711aca10a15f49e5478876d71c12875657e065d9393834be46d5283992efafe891308b79f1dc42ac3d312d5822f4e8900fcf0bc9892f8e548b5190f9d5da341 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 18:49
Reported
2024-06-12 18:51
Platform
win7-20240611-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe | N/A |
| File created | C:\Program Files\.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe | N/A |
| N/A | N/A | C:\Program Files\.exe | N/A |
| N/A | N/A | C:\Program Files\.exe | N/A |
| N/A | N/A | C:\Program Files\.exe | N/A |
| N/A | N/A | C:\Program Files\.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1656 wrote to memory of 2868 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe | C:\Program Files\.exe |
| PID 1656 wrote to memory of 2868 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe | C:\Program Files\.exe |
| PID 1656 wrote to memory of 2868 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe | C:\Program Files\.exe |
| PID 1656 wrote to memory of 2868 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe | C:\Program Files\.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_605cdbfeb2359c2fd6672af990a122a0_icedid.exe"
C:\Program Files\.exe
"C:\Program Files\\.exe" "33201"
Network
Files
\Program Files\.exe
| MD5 | a7d09bad209362ac87a785893c12e8ef |
| SHA1 | 9328e36954361339cbbe190cb23560497c011040 |
| SHA256 | 1a261473780c8d4e6fdb93439b0fef58e6d220a2daab87812bd01c211172ec39 |
| SHA512 | 124f52f67f733c66fe64cca24b178bd54da6f55e42fa199e040203caa428a0acd5b67820d2f3488dc802b595b2a16db6667e60e21ff79137a27de97a8e14baa1 |