220006ba7e3f80d95ab7b28d079e993e549684ce48e4a345097dfc3e39cc1dce

Analysis

max time kernel
121s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-16_6e769f8b84dad05f5d0bc6af0f1d365f_icedid.exe
Size

745KB
MD5

6e769f8b84dad05f5d0bc6af0f1d365f
SHA1

82f5a9296977cf396fdab0ad0cc61fd448b6cf59
SHA256

220006ba7e3f80d95ab7b28d079e993e549684ce48e4a345097dfc3e39cc1dce
SHA512

9c82cf164df1dac8ed75b3cc098aba93af03f4eed51c7bd11187a307a5a8c3fab37e29fdf7fe701ba5a423244c6edf5f3e94dc368bc84604f0c95ec06c87328b
SSDEEP

12288:U1ZjkSN4dX3Y6futJPe/LrawD526oIeBibYI7WPRIOwnFzqFhl4QGYRcJqVPkaeS:U1LzPejraI2CeBibYI7WP+OwnF2FhCQh

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	2024-06-16_6e769f8b84dad05f5d0bc6af0f1d365f_icedid.exe

Executes dropped EXE 3 IoCs

pid	Process
3968	44D9.tmp
764	Reader_sl.exe
3068	611.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 58 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mfc140u.dll	44D9.tmp
File created	C:\Windows\SysWOW64\msjtes40.dll	44D9.tmp
File opened for modification	C:\Windows\SysWOW64\opencl.dll	44D9.tmp
File created	C:\Windows\SysWOW64\sqlwoa.dll	44D9.tmp
File created	C:\Windows\SysWOW64\d3dxof.dll	44D9.tmp
File created	C:\Windows\SysWOW64\FXSXP32.dll	44D9.tmp
File created	C:\Windows\SysWOW64\mfc40.dll	44D9.tmp
File created	C:\Windows\SysWOW64\msvbvm60.dll	44D9.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr110.dll	44D9.tmp
File opened for modification	C:\Windows\SysWOW64\PrintConfig.dll	44D9.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\PrintConfig.dll	44D9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc110u.dll	44D9.tmp
File created	C:\Windows\SysWOW64\msrepl40.dll	44D9.tmp
File created	C:\Windows\SysWOW64\olecli32.dll	44D9.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\I386\PSCRIPT5.DLL	44D9.tmp
File created	C:\Windows\SysWOW64\AppVEntSubsystems32.dll	44D9.tmp
File opened for modification	C:\Windows\SysWOW64\atl100.dll	44D9.tmp
File created	C:\Windows\SysWOW64\InstallShield\_isdel.exe	44D9.tmp
File created	C:\Windows\SysWOW64\ivfsrc.ax	44D9.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr120.dll	44D9.tmp
File created	C:\Windows\SysWOW64\mswstr10.dll	44D9.tmp
File created	C:\Windows\SysWOW64\odbcjt32.dll	44D9.tmp
File created	C:\Windows\SysWOW64\olesvr32.dll	44D9.tmp
File created	C:\Windows\SysWOW64\rdvgogl32.dll	44D9.tmp
File created	C:\Windows\SysWOW64\sqlunirl.dll	44D9.tmp
File created	C:\Windows\SysWOW64\d3dim.dll	44D9.tmp
File created	C:\Windows\SysWOW64\hh.exe	44D9.tmp
File created	C:\Windows\SysWOW64\ir32_32original.dll	44D9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	44D9.tmp
File created	C:\Windows\SysWOW64\OneDriveSetup.exe	44D9.tmp
File created	C:\Windows\SysWOW64\gnsdk_fp.dll	44D9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc100.dll	44D9.tmp
File created	C:\Windows\SysWOW64\msexch40.dll	44D9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc120u.dll	44D9.tmp
File created	C:\Windows\SysWOW64\d3d8.dll	44D9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc100u.dll	44D9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc110.dll	44D9.tmp
File created	C:\Windows\SysWOW64\mfc40u.dll	44D9.tmp
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	44D9.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\I386\PS5UI.DLL	44D9.tmp
File created	C:\Windows\SysWOW64\InstallShield\setup.exe	44D9.tmp
File created	C:\Windows\SysWOW64\acwow64.dll	44D9.tmp
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	44D9.tmp
File created	C:\Windows\SysWOW64\iac25_32.ax	44D9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc120.dll	44D9.tmp
File created	C:\Windows\SysWOW64\msjet40.dll	44D9.tmp
File opened for modification	C:\Windows\SysWOW64\vccorlib120.dll	44D9.tmp
File opened for modification	C:\Windows\SysWOW64\atl110.dll	44D9.tmp
File created	C:\Windows\SysWOW64\expsrv.dll	44D9.tmp
File created	C:\Windows\SysWOW64\msorcl32.dll	44D9.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr100.dll	44D9.tmp
File created	C:\Windows\SysWOW64\msvcrt20.dll	44D9.tmp
File created	C:\Windows\SysWOW64\crtdll.dll	44D9.tmp
File created	C:\Windows\SysWOW64\ir50_32original.dll	44D9.tmp
File created	C:\Windows\SysWOW64\ir41_32original.dll	44D9.tmp
File created	C:\Windows\SysWOW64\mspbde40.dll	44D9.tmp
File created	C:\Windows\SysWOW64\msrd3x40.dll	44D9.tmp
File created	C:\Windows\SysWOW64\msxbde40.dll	44D9.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msvcr120.dll	44D9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\IEAWSDC.DLL	44D9.tmp
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dll	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api	44D9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\concrt140.dll	44D9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso20win32client.dll	44D9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolap.dll	44D9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHEV.DLL	44D9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIELinkedNotes.dll	44D9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIB.dll	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d	44D9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSCOPY.DLL	44D9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\URLREDIR.DLL	44D9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	44D9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia90.dll	44D9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO.DLL	44D9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msoshext.dll	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.dll	44D9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\SystemX86\mfc140.dll	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIDE.dll	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp	44D9.tmp
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	44D9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\dbghelp.dll	44D9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONLNTCOMLIB.DLL	44D9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\PortalConnectCore.dll	44D9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSSUPP.DLL	44D9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libcef.dll	44D9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	44D9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.187.37\MicrosoftEdgeUpdateCore.exe	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll	44D9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\SystemX86\concrt140.dll	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\MakeAccessible.api	44D9.tmp
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	44D9.tmp
File opened for modification	C:\Program Files\7-Zip\7z.sfx	44D9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mfc140u.dll	44D9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso50win32client.dll	44D9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll	44D9.tmp
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	44D9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\JitV.dll	44D9.tmp
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	44D9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\EmbeddedBrowserWebView.dll	44D9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL	44D9.tmp
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp	44D9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	44D9.tmp
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	44D9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADAL.DLL	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ACE.dll	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGM.dll	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	44D9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\ReadOutLoud.api	44D9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll	44D9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_bho.dll	44D9.tmp

Drops file in Windows directory 62 IoCs

description	ioc	Process
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AGM.dll	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\F_CENTRAL_msvcr120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	44D9.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\FDFFile_8.ico	44D9.tmp
File created	C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\concrt140.dll_x86	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Accessibility.api_NON_OPT	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\QuickTime.mpp	44D9.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\APIFile_8.ico	44D9.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XDPFile_8.ico	44D9.tmp
File created	C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\wpfgfx_v0300.dll	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adobearmhelper.exe.BDCA7721_F290_4124_BBED_7A15FE7694EB	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe	44D9.tmp
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\napcrypt\v4.0_10.0.0.0__31bf3856ad364e35\NAPCRYPT.DLL	44D9.tmp
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.dll	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe	44D9.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDFFile_8.ico	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adoberfp.dll	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\libcef.dll.15EE1C08_ED51_465D_B6F3_FB152B1CC435	44D9.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SecStoreFile.ico	44D9.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XFDFFile_8.ico	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_atl100_x86	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcr100_x86	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrocef.exe.15EE1C08_ED51_465D_B6F3_FB152B1CC435	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroForm.api__NON_OPT	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\drvDX9.x3d	44D9.tmp
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\MCIMPP.mpp	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\nppdf32.dll	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\SaveAsRTF.api_NON_OPT	44D9.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SC_Reader.ico	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroPDF.dll	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100_x86	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\nppdf32.dll_Apollo	44D9.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDXFile_8.ico	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\drvSOFT.x3d	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\EScript.api	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Multimedia.api_NON_OPT	44D9.tmp
File created	C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Ace.dll_NON_OPT	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\F_CENTRAL_vccorlib120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\PPKLite.api	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Search.api	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\WindowsMedia.mpp	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\sqlite.dll	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Bib.dll_NON_OPT	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Flash.mpp	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logsession.dll	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ReadOutLoud.api	44D9.tmp
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Activities.Compiler.dll	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Annots.api	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\SendMail.api	44D9.tmp
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\v4.0_4.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroPDFImpl.dll	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adobearm.exe.BDCA7721_F290_4124_BBED_7A15FE7694EB	44D9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rt3d.dll	44D9.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2380	2024-06-16_6e769f8b84dad05f5d0bc6af0f1d365f_icedid.exe
2380	2024-06-16_6e769f8b84dad05f5d0bc6af0f1d365f_icedid.exe
2380	2024-06-16_6e769f8b84dad05f5d0bc6af0f1d365f_icedid.exe
2380	2024-06-16_6e769f8b84dad05f5d0bc6af0f1d365f_icedid.exe
2380	2024-06-16_6e769f8b84dad05f5d0bc6af0f1d365f_icedid.exe
2380	2024-06-16_6e769f8b84dad05f5d0bc6af0f1d365f_icedid.exe
2380	2024-06-16_6e769f8b84dad05f5d0bc6af0f1d365f_icedid.exe
2380	2024-06-16_6e769f8b84dad05f5d0bc6af0f1d365f_icedid.exe
2380	2024-06-16_6e769f8b84dad05f5d0bc6af0f1d365f_icedid.exe
2380	2024-06-16_6e769f8b84dad05f5d0bc6af0f1d365f_icedid.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4864	AdobeARM.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 3968	2380	2024-06-16_6e769f8b84dad05f5d0bc6af0f1d365f_icedid.exe	82
PID 2380 wrote to memory of 3968	2380	2024-06-16_6e769f8b84dad05f5d0bc6af0f1d365f_icedid.exe	82
PID 2380 wrote to memory of 3968	2380	2024-06-16_6e769f8b84dad05f5d0bc6af0f1d365f_icedid.exe	82
PID 2380 wrote to memory of 4864	2380	2024-06-16_6e769f8b84dad05f5d0bc6af0f1d365f_icedid.exe	83
PID 2380 wrote to memory of 4864	2380	2024-06-16_6e769f8b84dad05f5d0bc6af0f1d365f_icedid.exe	83
PID 2380 wrote to memory of 4864	2380	2024-06-16_6e769f8b84dad05f5d0bc6af0f1d365f_icedid.exe	83
PID 4864 wrote to memory of 764	4864	AdobeARM.exe	95
PID 4864 wrote to memory of 764	4864	AdobeARM.exe	95
PID 4864 wrote to memory of 764	4864	AdobeARM.exe	95
PID 764 wrote to memory of 3068	764	Reader_sl.exe	96
PID 764 wrote to memory of 3068	764	Reader_sl.exe	96
PID 764 wrote to memory of 3068	764	Reader_sl.exe	96

C:\Users\Admin\AppData\Local\Temp\2024-06-16_6e769f8b84dad05f5d0bc6af0f1d365f_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-16_6e769f8b84dad05f5d0bc6af0f1d365f_icedid.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\44D9.tmp
  C:\Users\Admin\AppData\Local\Temp\44D9.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:3968
- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
  "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Users\Admin\AppData\Local\Temp\611.tmp
      C:\Users\Admin\AppData\Local\Temp\611.tmp
      4⤵
      Executes dropped EXE
      PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Filesize
3.0MB

MD5
3b01d1652efb2da7b3007f89d59e1b87

SHA1
59d914b0d8f4154f742a8468657911fe83ebda88

SHA256
8145bf3be0a046b3084e976ad694e8e75ceab6725b1d19d7629b5a09c89517ba

SHA512
cb36d2906857a3d172b370d7cc3c070bf6ea6477379b3b0acc7c509b8e5875888c2d2468b663358f2d7ee38c40b1666963620353a25e8166c17968b528cb4eb8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe

Filesize
252KB

MD5
1c243a6aae7bf272b386c222b71b41af

SHA1
8a7ea39ed9baf4188b468d6029b55d4a3e7173dc

SHA256
cd0c1166acb8870b7f1a795604519d863de5a39ba32768a92a9efcd2d3b249c5

SHA512
5f444e775b6225e48bf36563fbd3405935a984dd11259d1365668073185f7f4e2b2a7f22842829deda2ea54c8b31217f944bf77b5ef3e39d7890e2e0ac15a254

Download Submit
C:\ProgramData\Adobe\ARM\ArmReport.ini

Filesize
680B

MD5
b30d2df0532a865db7fd69a79b3166f5

SHA1
e8af1135ca024f772fd90988e0a73edc2def88e1

SHA256
e9e24192ecf10c39d960cd0dbd4144c9992eaa6914774d0b4fc420be14f9a264

SHA512
92d526c202dcee17092434710382f17b1d6ff3b80e10aaee0a849753be5141f9445b5527e96e7ffd68f659b42c5b275485334dcd06bdbca7c1a66061445e6d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\44D9.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeARM.log

Filesize
178B

MD5
45cd29342b4a6650f3d2ac48939db854

SHA1
c06ca8aa0da23817540dd2ae188c9e9ebe005c8f

SHA256
0981b2b9715c490cb6bc54a47ddc88548cc028c630982fe0d000772d50dea96b

SHA512
44fbe108aa1792cfc94fe9c7f3a3724c29b4160475c4ebe68b0ce68bfbf7c1985d7eca0b4b82e95b6083e2fdb1e59bf9e1556678e764afda3b7d4800fbbd2165

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArmUI.ini

Filesize
251KB

MD5
864c22fb9a1c0670edf01c6ed3e4fbe4

SHA1
bf636f8baed998a1eb4531af9e833e6d3d8df129

SHA256
b4d4dcd9594d372d7c0c975d80ef5802c88502895ed4b8a26ca62e225f2f18b0

SHA512
ff23616ee67d51daa2640ae638f59a8d331930a29b98c2d1bd3b236d2f651f243f9bae38d58515714886cfbb13b9be721d490aad4f2d10cbba74d7701ab34e09

Download Submit
memory/764-321-0x00000000005E0000-0x0000000000614000-memory.dmp

Filesize
208KB

Download
memory/2380-1-0x0000000002260000-0x00000000022B5000-memory.dmp

Filesize
340KB

Download