Malware Analysis Report

2025-03-14 22:10

Sample ID 240613-gbg5vazdmj
Target 2024-06-13_8f061f168a2d9e3eb96e131cbad6c5f9_icedid
SHA256 a7b5a416bb650803ea12a3e982e773f8a94999c6f5d84eb6499d6025f70cae38
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a7b5a416bb650803ea12a3e982e773f8a94999c6f5d84eb6499d6025f70cae38

Threat Level: Likely malicious

The file 2024-06-13_8f061f168a2d9e3eb96e131cbad6c5f9_icedid was found to be: Likely malicious.

Malicious Activity Summary

persistence

Sets service image path in registry

Loads dropped DLL

Executes dropped EXE

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:37

Reported

2024-06-13 05:40

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_8f061f168a2d9e3eb96e131cbad6c5f9_icedid.exe"

Signatures

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\bPRILNcpwYimmwLL\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\bPRILNcpwYimmwLL" C:\load.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\load.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\load.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeLoadDriverPrivilege N/A C:\load.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_8f061f168a2d9e3eb96e131cbad6c5f9_icedid.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_8f061f168a2d9e3eb96e131cbad6c5f9_icedid.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_8f061f168a2d9e3eb96e131cbad6c5f9_icedid.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_8f061f168a2d9e3eb96e131cbad6c5f9_icedid.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\powercfg.exe
PID 2612 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\powercfg.exe
PID 2612 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\powercfg.exe
PID 2612 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\powercfg.exe
PID 2612 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\load.exe
PID 2612 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\load.exe
PID 2612 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\load.exe
PID 2612 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\load.exe
PID 2612 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2612 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2612 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2612 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_8f061f168a2d9e3eb96e131cbad6c5f9_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_8f061f168a2d9e3eb96e131cbad6c5f9_icedid.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\start.bat

C:\Windows\SysWOW64\powercfg.exe

powercfg /h off

C:\load.exe

load.exe czb3.sys

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM WmiPrvSE.exe

Network

N/A

Files

C:\start.bat

MD5 4d0a20c9d156c365ae67928c3e4f2620
SHA1 6243de25eaa22c99e001bcde0b86b2c5177bf539
SHA256 6a6b71c66dac1c89bbf63dc840c2e49ac0487a67e81a69999837d8310db9c5f2
SHA512 b8a2fdb28300e64609455f05bb90c488caa8be9434f523d331618296d04d5da20dd8d26952f45c321cf3d41328a1ce88486368755a1a5aa0e66076c01a7003f3

C:\MSVCP140D.dll

MD5 37dc8cc78ecbcd12f27e665b70baefa7
SHA1 46fb9910cc10c4c0c52b547700e1950ce233be89
SHA256 b53add5b7bd6bb11fecc7be159885d0b75736d02423c11edc6eeb6f4bea80f6c
SHA512 078b0b408510c07eac85518f03a9e3fac8e4c8e2e36ccb8cd26962498c7f5bedbd79f7034af3ebfef9984f85d81c9032446b1b5c156b2174a769657ea0ab60a1

memory/3040-19-0x000000013FFB0000-0x000000014006C000-memory.dmp

memory/2612-17-0x0000000000590000-0x000000000064C000-memory.dmp

C:\load.exe

MD5 d5457ab33b79357d0c0acaa17119a44d
SHA1 572d3003af20308bf13bcddbbe4d85c9dbc6de35
SHA256 3dbf0e5076a5a3997f89e9e57d7452cc7f9d1dd131a16da44cdd288ca791eccb
SHA512 90e752d1c0dd4f6b51df843055dc3ab31db3f10d53f2b608bade1048e8d5f1dd2f8398acd1f2e54eedea1103291ae56918c50e0902af1f74ab0a39e136826c62

C:\VCRUNTIME140D.dll

MD5 f57fb935a9a76e151229f547c2204bba
SHA1 4021b804469816c3136b40c4ceb44c8d60ed15f5
SHA256 a77277af540d411ae33d371cc6f54d7b0a1937e0c14db7666d32c22fc5dca9c0
SHA512 cd9fc3fc460eba6a1b9f984b794940d28705ecb738df8595c2341abe4347141db14a9ff637c9f902e8742f5c48bbb61da7d5e231cc5b2bad2e8746c5a3e3e6ed

C:\ucrtbased.dll

MD5 c3130cfb00549a5a92da60e7f79f5fc9
SHA1 56c2e8fb1af609525b0f732bb67b806bddab3752
SHA256 eee42eabc546e5aa760f8df7105fcf505abffcb9ec4bf54398436303e407a3f8
SHA512 29bab5b441484bdfac9ec21cd4f0f7454af05bfd7d77f7d4662aeaeaa0d3e25439d52aa341958e7896701546b4a607d3c7a32715386c78b746dfae8529a70748

C:\VCRUNTIME140_1D.dll

MD5 868fd5f1ab2d50204c6b046fe172d4b8
SHA1 f2b43652ef62cba5f6f04f32f16b6b89819bc978
SHA256 104e5817ece4831e9989d8937c8dfe55d581db6b5bc8e22a1b492ca872eda70e
SHA512 402a0402b318539f26eac2fcd890700d2103f8eabd4b5289b64e2cdb5c30f4bb2b18f342c8a1ecc2cafb3f1d4258387a5300f9a86056f27b176b3fe995f9fc9d

memory/3040-25-0x000007FEF7830000-0x000007FEF7852000-memory.dmp

memory/3040-28-0x000000013FFB0000-0x000000014006C000-memory.dmp

memory/3040-27-0x000007FEF7810000-0x000007FEF781F000-memory.dmp

memory/3040-26-0x000007FEF5F80000-0x000007FEF613B000-memory.dmp

memory/3040-24-0x000007FEF6B90000-0x000007FEF6C86000-memory.dmp

C:\czb3.sys

MD5 a055a07974149fbcd9706a1f725a2607
SHA1 1fad84207ef40d251a8e7969d5fa2a400dfda3ee
SHA256 fc1be891c724d3aa50a435ade77793f5dd0a955b431902a61ffb6540455e3021
SHA512 34d39274e8d8b411a651a86e60cf2c1d07aae49291a16758f59ff76aad7fa93f7294976d1614ebf414813b1de0d4582d285b42c99565776a3800fa2874c4a841

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 05:37

Reported

2024-06-13 05:40

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_8f061f168a2d9e3eb96e131cbad6c5f9_icedid.exe"

Signatures

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QLwvyvXMqbKBbbBKCxLcgTCVCEeuV\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\QLwvyvXMqbKBbbBKCxLcgTCVCEeuV" C:\load.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\load.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\load.exe N/A
N/A N/A C:\load.exe N/A
N/A N/A C:\load.exe N/A
N/A N/A C:\load.exe N/A
N/A N/A C:\load.exe N/A
N/A N/A C:\load.exe N/A
N/A N/A C:\load.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\load.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeLoadDriverPrivilege N/A C:\load.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_8f061f168a2d9e3eb96e131cbad6c5f9_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_8f061f168a2d9e3eb96e131cbad6c5f9_icedid.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\start.bat

C:\Windows\SysWOW64\powercfg.exe

powercfg /h off

C:\load.exe

load.exe czb3.sys

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM WmiPrvSE.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\start.bat

MD5 4d0a20c9d156c365ae67928c3e4f2620
SHA1 6243de25eaa22c99e001bcde0b86b2c5177bf539
SHA256 6a6b71c66dac1c89bbf63dc840c2e49ac0487a67e81a69999837d8310db9c5f2
SHA512 b8a2fdb28300e64609455f05bb90c488caa8be9434f523d331618296d04d5da20dd8d26952f45c321cf3d41328a1ce88486368755a1a5aa0e66076c01a7003f3

C:\load.exe

MD5 d5457ab33b79357d0c0acaa17119a44d
SHA1 572d3003af20308bf13bcddbbe4d85c9dbc6de35
SHA256 3dbf0e5076a5a3997f89e9e57d7452cc7f9d1dd131a16da44cdd288ca791eccb
SHA512 90e752d1c0dd4f6b51df843055dc3ab31db3f10d53f2b608bade1048e8d5f1dd2f8398acd1f2e54eedea1103291ae56918c50e0902af1f74ab0a39e136826c62

memory/560-13-0x00007FF7BCD00000-0x00007FF7BCDBC000-memory.dmp

C:\MSVCP140D.dll

MD5 37dc8cc78ecbcd12f27e665b70baefa7
SHA1 46fb9910cc10c4c0c52b547700e1950ce233be89
SHA256 b53add5b7bd6bb11fecc7be159885d0b75736d02423c11edc6eeb6f4bea80f6c
SHA512 078b0b408510c07eac85518f03a9e3fac8e4c8e2e36ccb8cd26962498c7f5bedbd79f7034af3ebfef9984f85d81c9032446b1b5c156b2174a769657ea0ab60a1

C:\vcruntime140d.dll

MD5 f57fb935a9a76e151229f547c2204bba
SHA1 4021b804469816c3136b40c4ceb44c8d60ed15f5
SHA256 a77277af540d411ae33d371cc6f54d7b0a1937e0c14db7666d32c22fc5dca9c0
SHA512 cd9fc3fc460eba6a1b9f984b794940d28705ecb738df8595c2341abe4347141db14a9ff637c9f902e8742f5c48bbb61da7d5e231cc5b2bad2e8746c5a3e3e6ed

memory/560-26-0x00007FF7BCD00000-0x00007FF7BCDBC000-memory.dmp

C:\czb3.sys

MD5 a055a07974149fbcd9706a1f725a2607
SHA1 1fad84207ef40d251a8e7969d5fa2a400dfda3ee
SHA256 fc1be891c724d3aa50a435ade77793f5dd0a955b431902a61ffb6540455e3021
SHA512 34d39274e8d8b411a651a86e60cf2c1d07aae49291a16758f59ff76aad7fa93f7294976d1614ebf414813b1de0d4582d285b42c99565776a3800fa2874c4a841

C:\ucrtbased.dll

MD5 c3130cfb00549a5a92da60e7f79f5fc9
SHA1 56c2e8fb1af609525b0f732bb67b806bddab3752
SHA256 eee42eabc546e5aa760f8df7105fcf505abffcb9ec4bf54398436303e407a3f8
SHA512 29bab5b441484bdfac9ec21cd4f0f7454af05bfd7d77f7d4662aeaeaa0d3e25439d52aa341958e7896701546b4a607d3c7a32715386c78b746dfae8529a70748

C:\vcruntime140_1d.dll

MD5 868fd5f1ab2d50204c6b046fe172d4b8
SHA1 f2b43652ef62cba5f6f04f32f16b6b89819bc978
SHA256 104e5817ece4831e9989d8937c8dfe55d581db6b5bc8e22a1b492ca872eda70e
SHA512 402a0402b318539f26eac2fcd890700d2103f8eabd4b5289b64e2cdb5c30f4bb2b18f342c8a1ecc2cafb3f1d4258387a5300f9a86056f27b176b3fe995f9fc9d