Analysis Overview
SHA256
a7b5a416bb650803ea12a3e982e773f8a94999c6f5d84eb6499d6025f70cae38
Threat Level: Likely malicious
The file 2024-06-13_8f061f168a2d9e3eb96e131cbad6c5f9_icedid was found to be: Likely malicious.
Malicious Activity Summary
Sets service image path in registry
Loads dropped DLL
Executes dropped EXE
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 05:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 05:37
Reported
2024-06-13 05:40
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\bPRILNcpwYimmwLL\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\bPRILNcpwYimmwLL" | C:\load.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\load.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\load.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\load.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_8f061f168a2d9e3eb96e131cbad6c5f9_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_8f061f168a2d9e3eb96e131cbad6c5f9_icedid.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-13_8f061f168a2d9e3eb96e131cbad6c5f9_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_8f061f168a2d9e3eb96e131cbad6c5f9_icedid.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\start.bat
C:\Windows\SysWOW64\powercfg.exe
powercfg /h off
C:\load.exe
load.exe czb3.sys
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM WmiPrvSE.exe
Network
Files
C:\start.bat
| MD5 | 4d0a20c9d156c365ae67928c3e4f2620 |
| SHA1 | 6243de25eaa22c99e001bcde0b86b2c5177bf539 |
| SHA256 | 6a6b71c66dac1c89bbf63dc840c2e49ac0487a67e81a69999837d8310db9c5f2 |
| SHA512 | b8a2fdb28300e64609455f05bb90c488caa8be9434f523d331618296d04d5da20dd8d26952f45c321cf3d41328a1ce88486368755a1a5aa0e66076c01a7003f3 |
C:\MSVCP140D.dll
| MD5 | 37dc8cc78ecbcd12f27e665b70baefa7 |
| SHA1 | 46fb9910cc10c4c0c52b547700e1950ce233be89 |
| SHA256 | b53add5b7bd6bb11fecc7be159885d0b75736d02423c11edc6eeb6f4bea80f6c |
| SHA512 | 078b0b408510c07eac85518f03a9e3fac8e4c8e2e36ccb8cd26962498c7f5bedbd79f7034af3ebfef9984f85d81c9032446b1b5c156b2174a769657ea0ab60a1 |
memory/3040-19-0x000000013FFB0000-0x000000014006C000-memory.dmp
memory/2612-17-0x0000000000590000-0x000000000064C000-memory.dmp
C:\load.exe
| MD5 | d5457ab33b79357d0c0acaa17119a44d |
| SHA1 | 572d3003af20308bf13bcddbbe4d85c9dbc6de35 |
| SHA256 | 3dbf0e5076a5a3997f89e9e57d7452cc7f9d1dd131a16da44cdd288ca791eccb |
| SHA512 | 90e752d1c0dd4f6b51df843055dc3ab31db3f10d53f2b608bade1048e8d5f1dd2f8398acd1f2e54eedea1103291ae56918c50e0902af1f74ab0a39e136826c62 |
C:\VCRUNTIME140D.dll
| MD5 | f57fb935a9a76e151229f547c2204bba |
| SHA1 | 4021b804469816c3136b40c4ceb44c8d60ed15f5 |
| SHA256 | a77277af540d411ae33d371cc6f54d7b0a1937e0c14db7666d32c22fc5dca9c0 |
| SHA512 | cd9fc3fc460eba6a1b9f984b794940d28705ecb738df8595c2341abe4347141db14a9ff637c9f902e8742f5c48bbb61da7d5e231cc5b2bad2e8746c5a3e3e6ed |
C:\ucrtbased.dll
| MD5 | c3130cfb00549a5a92da60e7f79f5fc9 |
| SHA1 | 56c2e8fb1af609525b0f732bb67b806bddab3752 |
| SHA256 | eee42eabc546e5aa760f8df7105fcf505abffcb9ec4bf54398436303e407a3f8 |
| SHA512 | 29bab5b441484bdfac9ec21cd4f0f7454af05bfd7d77f7d4662aeaeaa0d3e25439d52aa341958e7896701546b4a607d3c7a32715386c78b746dfae8529a70748 |
C:\VCRUNTIME140_1D.dll
| MD5 | 868fd5f1ab2d50204c6b046fe172d4b8 |
| SHA1 | f2b43652ef62cba5f6f04f32f16b6b89819bc978 |
| SHA256 | 104e5817ece4831e9989d8937c8dfe55d581db6b5bc8e22a1b492ca872eda70e |
| SHA512 | 402a0402b318539f26eac2fcd890700d2103f8eabd4b5289b64e2cdb5c30f4bb2b18f342c8a1ecc2cafb3f1d4258387a5300f9a86056f27b176b3fe995f9fc9d |
memory/3040-25-0x000007FEF7830000-0x000007FEF7852000-memory.dmp
memory/3040-28-0x000000013FFB0000-0x000000014006C000-memory.dmp
memory/3040-27-0x000007FEF7810000-0x000007FEF781F000-memory.dmp
memory/3040-26-0x000007FEF5F80000-0x000007FEF613B000-memory.dmp
memory/3040-24-0x000007FEF6B90000-0x000007FEF6C86000-memory.dmp
C:\czb3.sys
| MD5 | a055a07974149fbcd9706a1f725a2607 |
| SHA1 | 1fad84207ef40d251a8e7969d5fa2a400dfda3ee |
| SHA256 | fc1be891c724d3aa50a435ade77793f5dd0a955b431902a61ffb6540455e3021 |
| SHA512 | 34d39274e8d8b411a651a86e60cf2c1d07aae49291a16758f59ff76aad7fa93f7294976d1614ebf414813b1de0d4582d285b42c99565776a3800fa2874c4a841 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 05:37
Reported
2024-06-13 05:40
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
99s
Command Line
Signatures
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QLwvyvXMqbKBbbBKCxLcgTCVCEeuV\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\QLwvyvXMqbKBbbBKCxLcgTCVCEeuV" | C:\load.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\load.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\load.exe | N/A |
| N/A | N/A | C:\load.exe | N/A |
| N/A | N/A | C:\load.exe | N/A |
| N/A | N/A | C:\load.exe | N/A |
| N/A | N/A | C:\load.exe | N/A |
| N/A | N/A | C:\load.exe | N/A |
| N/A | N/A | C:\load.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\load.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\load.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_8f061f168a2d9e3eb96e131cbad6c5f9_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_8f061f168a2d9e3eb96e131cbad6c5f9_icedid.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-13_8f061f168a2d9e3eb96e131cbad6c5f9_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_8f061f168a2d9e3eb96e131cbad6c5f9_icedid.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\start.bat
C:\Windows\SysWOW64\powercfg.exe
powercfg /h off
C:\load.exe
load.exe czb3.sys
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM WmiPrvSE.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\start.bat
| MD5 | 4d0a20c9d156c365ae67928c3e4f2620 |
| SHA1 | 6243de25eaa22c99e001bcde0b86b2c5177bf539 |
| SHA256 | 6a6b71c66dac1c89bbf63dc840c2e49ac0487a67e81a69999837d8310db9c5f2 |
| SHA512 | b8a2fdb28300e64609455f05bb90c488caa8be9434f523d331618296d04d5da20dd8d26952f45c321cf3d41328a1ce88486368755a1a5aa0e66076c01a7003f3 |
C:\load.exe
| MD5 | d5457ab33b79357d0c0acaa17119a44d |
| SHA1 | 572d3003af20308bf13bcddbbe4d85c9dbc6de35 |
| SHA256 | 3dbf0e5076a5a3997f89e9e57d7452cc7f9d1dd131a16da44cdd288ca791eccb |
| SHA512 | 90e752d1c0dd4f6b51df843055dc3ab31db3f10d53f2b608bade1048e8d5f1dd2f8398acd1f2e54eedea1103291ae56918c50e0902af1f74ab0a39e136826c62 |
memory/560-13-0x00007FF7BCD00000-0x00007FF7BCDBC000-memory.dmp
C:\MSVCP140D.dll
| MD5 | 37dc8cc78ecbcd12f27e665b70baefa7 |
| SHA1 | 46fb9910cc10c4c0c52b547700e1950ce233be89 |
| SHA256 | b53add5b7bd6bb11fecc7be159885d0b75736d02423c11edc6eeb6f4bea80f6c |
| SHA512 | 078b0b408510c07eac85518f03a9e3fac8e4c8e2e36ccb8cd26962498c7f5bedbd79f7034af3ebfef9984f85d81c9032446b1b5c156b2174a769657ea0ab60a1 |
C:\vcruntime140d.dll
| MD5 | f57fb935a9a76e151229f547c2204bba |
| SHA1 | 4021b804469816c3136b40c4ceb44c8d60ed15f5 |
| SHA256 | a77277af540d411ae33d371cc6f54d7b0a1937e0c14db7666d32c22fc5dca9c0 |
| SHA512 | cd9fc3fc460eba6a1b9f984b794940d28705ecb738df8595c2341abe4347141db14a9ff637c9f902e8742f5c48bbb61da7d5e231cc5b2bad2e8746c5a3e3e6ed |
memory/560-26-0x00007FF7BCD00000-0x00007FF7BCDBC000-memory.dmp
C:\czb3.sys
| MD5 | a055a07974149fbcd9706a1f725a2607 |
| SHA1 | 1fad84207ef40d251a8e7969d5fa2a400dfda3ee |
| SHA256 | fc1be891c724d3aa50a435ade77793f5dd0a955b431902a61ffb6540455e3021 |
| SHA512 | 34d39274e8d8b411a651a86e60cf2c1d07aae49291a16758f59ff76aad7fa93f7294976d1614ebf414813b1de0d4582d285b42c99565776a3800fa2874c4a841 |
C:\ucrtbased.dll
| MD5 | c3130cfb00549a5a92da60e7f79f5fc9 |
| SHA1 | 56c2e8fb1af609525b0f732bb67b806bddab3752 |
| SHA256 | eee42eabc546e5aa760f8df7105fcf505abffcb9ec4bf54398436303e407a3f8 |
| SHA512 | 29bab5b441484bdfac9ec21cd4f0f7454af05bfd7d77f7d4662aeaeaa0d3e25439d52aa341958e7896701546b4a607d3c7a32715386c78b746dfae8529a70748 |
C:\vcruntime140_1d.dll
| MD5 | 868fd5f1ab2d50204c6b046fe172d4b8 |
| SHA1 | f2b43652ef62cba5f6f04f32f16b6b89819bc978 |
| SHA256 | 104e5817ece4831e9989d8937c8dfe55d581db6b5bc8e22a1b492ca872eda70e |
| SHA512 | 402a0402b318539f26eac2fcd890700d2103f8eabd4b5289b64e2cdb5c30f4bb2b18f342c8a1ecc2cafb3f1d4258387a5300f9a86056f27b176b3fe995f9fc9d |