Malware Analysis Report

2024-09-23 11:16

Sample ID 240615-nk371asfkj
Target 2024-06-15_d5c2f96bdb737ed828f8585988cc5f39_icedid
SHA256 8ede84109b78394b42ead5f872791601ccd8c52806ece2fbf30922f7d1694c83
Tags
bootkit persistence upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ede84109b78394b42ead5f872791601ccd8c52806ece2fbf30922f7d1694c83

Threat Level: Known bad

The file 2024-06-15_d5c2f96bdb737ed828f8585988cc5f39_icedid was found to be: Known bad.

Malicious Activity Summary

bootkit persistence upx

UPX dump on OEP (original entry point)

Detects executables packed with VMProtect.

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-15 11:28

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 11:28

Reported

2024-06-15 11:30

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-15_d5c2f96bdb737ed828f8585988cc5f39_icedid.exe"

Signatures

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-15_d5c2f96bdb737ed828f8585988cc5f39_icedid.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dm.dll C:\Users\Admin\AppData\Local\Temp\2024-06-15_d5c2f96bdb737ed828f8585988cc5f39_icedid.exe N/A
File opened for modification C:\Windows\SysWOW64\dm.dll C:\Users\Admin\AppData\Local\Temp\2024-06-15_d5c2f96bdb737ed828f8585988cc5f39_icedid.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\Edm.dll C:\Users\Admin\AppData\Local\Temp\2024-06-15_d5c2f96bdb737ed828f8585988cc5f39_icedid.exe N/A
File opened for modification C:\WINDOWS\Edm.dll C:\Users\Admin\AppData\Local\Temp\2024-06-15_d5c2f96bdb737ed828f8585988cc5f39_icedid.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ = "dm.dmsoft" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID\ = "dm.dmsoft" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ = "C:\\WINDOWS\\Edm.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer\ = "dm.dmsoft" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\ = "dm.dmsoft" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\ = "Dm" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\ = "C:\\WINDOWS\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID\ = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32\ = "C:\\WINDOWS\\Edm.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_d5c2f96bdb737ed828f8585988cc5f39_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_d5c2f96bdb737ed828f8585988cc5f39_icedid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-15_d5c2f96bdb737ed828f8585988cc5f39_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-15_d5c2f96bdb737ed828f8585988cc5f39_icedid.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s C:\WINDOWS\Edm.dll

Network

Files

memory/1856-0-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-1-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-11-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-13-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-35-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-41-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-44-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-39-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-37-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-33-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-31-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-27-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-25-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-23-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-21-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-19-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-17-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-15-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-9-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-7-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-5-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-29-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-3-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-2-0x0000000010000000-0x000000001003E000-memory.dmp

C:\Windows\SysWOW64\dm.dll

MD5 c578b6820bda5689940560147c6e5ffc
SHA1 922e50d89c9c44bdc205ef17aa57212b64e58852
SHA256 3b6ddc32b800a18b21a819e842cbfdd57cb065fd92cc69545e0ef29b97cfd389
SHA512 9f2a1bb5788ad245242d12968bbf198af2694a87c6e2342f14672e8c14e8489dd3319434592fc9b20f620557d0fa58482903d19c7f5ba32456a1e4076dc1bb85

memory/808-53-0x0000000010000000-0x0000000010176000-memory.dmp

memory/1856-54-0x0000000002580000-0x0000000002594000-memory.dmp

memory/1856-57-0x0000000002580000-0x0000000002594000-memory.dmp

memory/1856-58-0x0000000002790000-0x0000000002906000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\×¢²áÂëÅäÖÃ.ini

MD5 e1cf753d2f06b22fecd7666eebfeb1f3
SHA1 6f18eb498649cb74b7919e906c514ac7be8478d1
SHA256 f7797bb407faffad4835edee7350b66a829e26ca4646cc76b5616939b78433a5
SHA512 2484098f9736e3005ca90c1684979dd7301dcdf44d132f2606a105786428b0c7cb1c43ab9f1dbbd1d87a13f74bfdaaf5568b5200dff0f2d2b7c54f0e589540ef

memory/1856-78-0x0000000002790000-0x0000000002906000-memory.dmp

memory/1856-86-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1856-95-0x0000000002580000-0x0000000002594000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 11:28

Reported

2024-06-15 11:30

Platform

win7-20240611-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-15_d5c2f96bdb737ed828f8585988cc5f39_icedid.exe"

Signatures

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-15_d5c2f96bdb737ed828f8585988cc5f39_icedid.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dm.dll C:\Users\Admin\AppData\Local\Temp\2024-06-15_d5c2f96bdb737ed828f8585988cc5f39_icedid.exe N/A
File opened for modification C:\Windows\SysWOW64\dm.dll C:\Users\Admin\AppData\Local\Temp\2024-06-15_d5c2f96bdb737ed828f8585988cc5f39_icedid.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\Edm.dll C:\Users\Admin\AppData\Local\Temp\2024-06-15_d5c2f96bdb737ed828f8585988cc5f39_icedid.exe N/A
File opened for modification C:\WINDOWS\Edm.dll C:\Users\Admin\AppData\Local\Temp\2024-06-15_d5c2f96bdb737ed828f8585988cc5f39_icedid.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32\ = "C:\\WINDOWS\\Edm.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID\ = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\ = "C:\\WINDOWS\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\ = "dm.dmsoft" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer\ = "dm.dmsoft" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ = "dm.dmsoft" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ = "C:\\WINDOWS\\Edm.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID\ = "dm.dmsoft" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\ = "Dm" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_d5c2f96bdb737ed828f8585988cc5f39_icedid.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_d5c2f96bdb737ed828f8585988cc5f39_icedid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-15_d5c2f96bdb737ed828f8585988cc5f39_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-15_d5c2f96bdb737ed828f8585988cc5f39_icedid.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s C:\WINDOWS\Edm.dll

Network

N/A

Files

memory/2280-0-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-1-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-2-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-15-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-21-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-19-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-17-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-23-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-5-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-3-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-7-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-34-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-9-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-41-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-44-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-39-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-37-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-35-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-31-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-29-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-27-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-25-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-13-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-11-0x0000000010000000-0x000000001003E000-memory.dmp

C:\Windows\SysWOW64\dm.dll

MD5 c578b6820bda5689940560147c6e5ffc
SHA1 922e50d89c9c44bdc205ef17aa57212b64e58852
SHA256 3b6ddc32b800a18b21a819e842cbfdd57cb065fd92cc69545e0ef29b97cfd389
SHA512 9f2a1bb5788ad245242d12968bbf198af2694a87c6e2342f14672e8c14e8489dd3319434592fc9b20f620557d0fa58482903d19c7f5ba32456a1e4076dc1bb85

memory/2656-52-0x0000000010000000-0x0000000010176000-memory.dmp

memory/2280-53-0x0000000000810000-0x0000000000824000-memory.dmp

memory/2280-55-0x00000000032A0000-0x0000000003416000-memory.dmp

memory/2280-54-0x0000000000810000-0x0000000000824000-memory.dmp

memory/2280-57-0x0000000003240000-0x000000000324A000-memory.dmp

memory/2280-56-0x0000000003240000-0x000000000324A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\×¢²áÂëÅäÖÃ.ini

MD5 304d18e401d5041ebf4b41f6df6c67c5
SHA1 d13ee90af0eddfd7b0d44c207bfd0b9422f7a8e0
SHA256 c125cb2179dc17a1a9500fdb397516d6aa13cceb259c2664fc60356bfdcf00d3
SHA512 9c91769d43be38c8e30f35f3d5c58c463f1c64958eaa89a7ee481e4bc2f76d22bb66d2c94e6d221579cf5fa23c23b12326f0c85633851c863b627268485a2ebb

memory/2280-77-0x00000000032A0000-0x0000000003416000-memory.dmp

memory/2280-82-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2280-91-0x0000000000810000-0x0000000000824000-memory.dmp

memory/2280-96-0x0000000003240000-0x000000000324A000-memory.dmp

memory/2280-95-0x0000000003240000-0x000000000324A000-memory.dmp