Analysis Overview
SHA256
0941713c2a5638454f9f0cd0ea1b7e2db8712af9ba024661ecc01e966ac404bb
Threat Level: Shows suspicious behavior
The file 2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Enumerates connected drives
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 11:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 11:10
Reported
2024-06-14 11:13
Platform
win7-20240508-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\FEIQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe 1" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\FEIQ.EXE\AppID = "{B6938C8A-42A7-40AE-A4A9-85EAC54FC8F8}" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQMenu\CurVer\ = "FeiQ.FQMenu.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddyCollection\ = "FQBuddyCollection Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQTools | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4AB3843-3548-4e73-B99D-620DF075BB32}\ = "FQData Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQMenu | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddy | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddy\ = "FQBuddy Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.Application | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4AB3843-3548-4e73-B99D-620DF075BB32}\VersionIndependentProgID\ = "FeiQ.FQData" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE8BCAB3-73D7-4316-872E-2C776302ECD4}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE8BCAB3-73D7-4316-872E-2C776302ECD4}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQMenu\CurVer | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97819BF3-8E21-477c-9162-5AED70E4155A}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B76352A6-61E3-481a-A219-9B50DAB47F80}\ = "FQDataCollection Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQRoot.1\ = "FQRoot Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQRoot\CLSID\ = "{BE8BCAB3-73D7-4316-872E-2C776302ECD4}" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE8BCAB3-73D7-4316-872E-2C776302ECD4}\TypeLib\ = "{83863943-2942-4480-83CF-CE99E5655801}" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQUi.1\ = "CFQUi Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQCalendar\CurVer\ = "FeiQ.FQCalendar.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.Application\ = "Application Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A5CAC5D2-0527-414b-979F-0FAA325646CC}\ProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQRoot\CurVer | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE8BCAB3-73D7-4316-872E-2C776302ECD4}\ = "FQRoot Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6620960-3908-4FE6-B347-9744EEF0ABE2}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE8BCAB3-73D7-4316-872E-2C776302ECD4}\ProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A5CAC5D2-0527-414b-979F-0FAA325646CC}\Programmable | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CLSID\ = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32\ = "C:\\Program Files\\feiq\\GifDll\\ImageOle.dll" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID\ = "ImageOle.GifAnimator" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB} | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQFolderBar\CLSID\ = "{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B}" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A5CAC5D2-0527-414b-979F-0FAA325646CC}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A5CAC5D2-0527-414b-979F-0FAA325646CC}\AppID = "{B6938C8A-42A7-40AE-A4A9-85EAC54FC8F8}" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQRoot.1 | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE8BCAB3-73D7-4316-872E-2C776302ECD4}\ProgID\ = "FeiQ.FQRoot.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0525C8BE-6CCA-4AF7-B72A-1D81756978F0}\AppID = "{B6938C8A-42A7-40AE-A4A9-85EAC54FC8F8}" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQFolderBar.1\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4AB3843-3548-4e73-B99D-620DF075BB32}\ProgID\ = "FeiQ.FQData.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A5CAC5D2-0527-414b-979F-0FAA325646CC}\TypeLib\ = "{83863943-2942-4480-83CF-CE99E5655801}" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQFolderBar\CurVer | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQData\ = "FQData Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQUi.1 | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6620960-3908-4FE6-B347-9744EEF0ABE2}\VersionIndependentProgID\ = "FeiQ.FQUi" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B}\ = "FQFolderBar Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQCalendar | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQDataCollection\ = "FQDataCollection Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97819BF3-8E21-477c-9162-5AED70E4155A}\AppID = "{B6938C8A-42A7-40AE-A4A9-85EAC54FC8F8}" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe\"" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQTools\ = "FQTools Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0525C8BE-6CCA-4AF7-B72A-1D81756978F0}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4AB3843-3548-4e73-B99D-620DF075BB32}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQDataCollection\CLSID\ = "{B76352A6-61E3-481a-A219-9B50DAB47F80}" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CurVer\ = "ImageOle.GifAnimator.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib\ = "{710993A2-4F87-41D7-B6FE-F5A20368465F}" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97819BF3-8E21-477c-9162-5AED70E4155A}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39AF7A0C-F38A-420F-9611-6C848375977B} | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.255.255:2425 | udp | |
| N/A | 255.255.255.255:2425 | udp | |
| N/A | 10.127.0.54:2425 | udp | |
| US | 8.8.8.8:53 | e.feiq18.com | udp |
| US | 8.8.8.8:53 | www.feiq18.com | udp |
| US | 8.8.8.8:53 | feiqupgrade.blog.sohu.com | udp |
Files
memory/492-0-0x0000000000400000-0x000000000157F000-memory.dmp
C:\Users\Admin\AppData\Roaming\feiq\feiq.ini
| MD5 | ad7812ebc6c6bf360977baac663a42f5 |
| SHA1 | 72844f6c194ffbbc2fb254e76951fe2cd4e479a5 |
| SHA256 | a7b8987fdcc95136c90be17665bb4b21d07f0270a427592eea6f4fc63422d9df |
| SHA512 | d5b4453e2df7121ade86df50e444abc27a9c4a9e72eaddf5f95c4befafe0e7829a0f63509c5cc7db7ba5e86e3efc85eac3b1da9c26499ad62362af6dff17c7e9 |
memory/492-11-0x0000000000B7F000-0x0000000000B80000-memory.dmp
\Program Files\feiq\GifDll\ImageOle.dll
| MD5 | c653904916e99c2653bf3b339c734f05 |
| SHA1 | 6cb3cde5b5f7ffd76b0de150feb15801f705dd57 |
| SHA256 | a11cd7f420a737e8127012c24dc3fbce1b2e6c6c3425f2028c6171a7e8eb7785 |
| SHA512 | d4aa6713140d2391ee56352dc350e892ffc905843e74f1cdc99b0ce1645ec1d1ba4e990a8ee847928aabd10de0488f035c5df5e005ec7048c4f07d88d9082e6b |
memory/492-19-0x0000000000400000-0x000000000157F000-memory.dmp
memory/492-20-0x0000000000400000-0x000000000157F000-memory.dmp
memory/492-26-0x0000000000400000-0x000000000157F000-memory.dmp
memory/492-23-0x0000000000400000-0x000000000157F000-memory.dmp
memory/492-33-0x0000000000400000-0x000000000157F000-memory.dmp
memory/492-40-0x0000000000400000-0x000000000157F000-memory.dmp
memory/492-79-0x0000000000400000-0x000000000157F000-memory.dmp
memory/492-81-0x0000000000400000-0x000000000157F000-memory.dmp
memory/492-84-0x0000000000400000-0x000000000157F000-memory.dmp
memory/492-88-0x0000000000400000-0x000000000157F000-memory.dmp
memory/492-151-0x0000000000400000-0x000000000157F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 11:10
Reported
2024-06-14 11:13
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FEIQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe 1" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddy\CurVer\ = "FeiQ.FQBuddy.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQData\ = "FQData Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQRoot.1\ = "FQRoot Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6620960-3908-4FE6-B347-9744EEF0ABE2}\AppID = "{B6938C8A-42A7-40AE-A4A9-85EAC54FC8F8}" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddyCollection.1 | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddyCollection | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39AF7A0C-F38A-420F-9611-6C848375977B}\ProgID\ = "FeiQ.FQBuddyCollection.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39AF7A0C-F38A-420F-9611-6C848375977B}\AppID = "{B6938C8A-42A7-40AE-A4A9-85EAC54FC8F8}" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0\win32\ = "C:\\Program Files\\feiq\\GifDll\\ImageOle.dll" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.Application.1\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6620960-3908-4FE6-B347-9744EEF0ABE2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6620960-3908-4FE6-B347-9744EEF0ABE2}\Programmable | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\FEIQ.EXE\AppID = "{B6938C8A-42A7-40AE-A4A9-85EAC54FC8F8}" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddy\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B}\ProgID\ = "FeiQ.FQFolderBar.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1129492B-BE39-4F68-9FB2-954A15642CE6}\Programmable | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16} | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0525C8BE-6CCA-4AF7-B72A-1D81756978F0}\ = "Application Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQDataCollection.1\ = "FQDataCollection Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.ClientObjectsModule\CLSID\ = "{A5CAC5D2-0527-414b-979F-0FAA325646CC}" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE8BCAB3-73D7-4316-872E-2C776302ECD4}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddyCollection\ = "FQBuddyCollection Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}\ProgID\ = "FeiQ.FQBuddy.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B}\ = "FQFolderBar Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQTools.1\CLSID\ = "{1129492B-BE39-4F68-9FB2-954A15642CE6}" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B76352A6-61E3-481a-A219-9B50DAB47F80}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe\"" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97819BF3-8E21-477c-9162-5AED70E4155A}\ProgID\ = "FeiQ.FQMenu.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.Application.1\CLSID\ = "{0525C8BE-6CCA-4AF7-B72A-1D81756978F0}" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.Application\CurVer | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQData\CurVer\ = "FeiQ.FQData.1" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe\"" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQCalendar\CLSID | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQDataCollection.1 | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5CAC5D2-0527-414b-979F-0FAA325646CC} | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQCalendar\ = "FQCalendar Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQRoot | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ToolboxBitmap32 | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE8BCAB3-73D7-4316-872E-2C776302ECD4}\Programmable | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B6938C8A-42A7-40AE-A4A9-85EAC54FC8F8} | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}\ProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQTools\ = "FQTools Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5CAC5D2-0527-414b-979F-0FAA325646CC}\VersionIndependentProgID\ = "FeiQ.ClientObjectsModule" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Insertable | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQFolderBar.1 | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQData\CurVer | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4AB3843-3548-4e73-B99D-620DF075BB32}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe\"" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0525C8BE-6CCA-4AF7-B72A-1D81756978F0}\VersionIndependentProgID\ = "FeiQ.Application" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4AB3843-3548-4e73-B99D-620DF075BB32}\ = "FQData Class" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQFolderBar | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B}\TypeLib\ = "{83863943-2942-4480-83CF-CE99E5655801}" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0525C8BE-6CCA-4AF7-B72A-1D81756978F0}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}\VersionIndependentProgID\ = "FeiQ.FQBuddy" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQCalendar.1 | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQDataCollection\CLSID\ = "{B76352A6-61E3-481a-A219-9B50DAB47F80}" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe\"" | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-14_dd9990df56177ce3368761f97e201102_icedid_vidar.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 10.127.255.255:2425 | udp | |
| N/A | 255.255.255.255:2425 | udp | |
| US | 8.8.8.8:53 | e.feiq18.com | udp |
| N/A | 10.127.0.95:2425 | udp | |
| US | 8.8.8.8:53 | www.feiq18.com | udp |
Files
memory/4296-0-0x0000000000400000-0x000000000157F000-memory.dmp
C:\Users\Admin\AppData\Roaming\feiq\feiq.ini
| MD5 | ad7812ebc6c6bf360977baac663a42f5 |
| SHA1 | 72844f6c194ffbbc2fb254e76951fe2cd4e479a5 |
| SHA256 | a7b8987fdcc95136c90be17665bb4b21d07f0270a427592eea6f4fc63422d9df |
| SHA512 | d5b4453e2df7121ade86df50e444abc27a9c4a9e72eaddf5f95c4befafe0e7829a0f63509c5cc7db7ba5e86e3efc85eac3b1da9c26499ad62362af6dff17c7e9 |
memory/4296-8-0x0000000000B7F000-0x0000000000B80000-memory.dmp
C:\Program Files\feiq\GifDll\ImageOle.dll
| MD5 | c653904916e99c2653bf3b339c734f05 |
| SHA1 | 6cb3cde5b5f7ffd76b0de150feb15801f705dd57 |
| SHA256 | a11cd7f420a737e8127012c24dc3fbce1b2e6c6c3425f2028c6171a7e8eb7785 |
| SHA512 | d4aa6713140d2391ee56352dc350e892ffc905843e74f1cdc99b0ce1645ec1d1ba4e990a8ee847928aabd10de0488f035c5df5e005ec7048c4f07d88d9082e6b |
memory/4296-17-0x0000000000400000-0x000000000157F000-memory.dmp
memory/4296-42-0x0000000000400000-0x000000000157F000-memory.dmp
memory/4296-101-0x0000000000400000-0x000000000157F000-memory.dmp
memory/4296-102-0x0000000000400000-0x000000000157F000-memory.dmp
memory/4296-144-0x0000000000400000-0x000000000157F000-memory.dmp
memory/4296-145-0x0000000000400000-0x000000000157F000-memory.dmp
memory/4296-147-0x0000000000400000-0x000000000157F000-memory.dmp
memory/4296-148-0x0000000000400000-0x000000000157F000-memory.dmp
memory/4296-151-0x0000000000400000-0x000000000157F000-memory.dmp
memory/4296-152-0x0000000000400000-0x000000000157F000-memory.dmp
memory/4296-153-0x0000000000400000-0x000000000157F000-memory.dmp
memory/4296-154-0x0000000000400000-0x000000000157F000-memory.dmp
memory/4296-155-0x0000000000400000-0x000000000157F000-memory.dmp