41536a1562a7a77adad86fc1d1f9296d296d5f67612e73c22b764f8f31ad2cd6

General

Target

2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
Size

3.8MB
MD5

a0bf6f0601f924eeb9ff269b1e0e168e
SHA1

2bfc3341cd253c39c33eee7ce554a0a2ab2f34aa
SHA256

41536a1562a7a77adad86fc1d1f9296d296d5f67612e73c22b764f8f31ad2cd6
SHA512

887588a16a9793d34f2a3a09ec49db137171c53a0fca4e8194b6b0bd487f81b7e06d2609e38db33b9c05d78f9859f530ed30f717ee16db89dd6e29485be385e1
SSDEEP

49152:JVTD6aoiHVGUP4BhHbPFENwKiS//Q6rj0p8Eou/VoNYiNoAEITv7UQ:JVTD/fHVJ4BhHbFV63PuSNYiH7I

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
File opened (read-only)	\??\N:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
File opened (read-only)	\??\O:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
File opened (read-only)	\??\X:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
File opened (read-only)	\??\J:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
File opened (read-only)	\??\K:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
File opened (read-only)	\??\H:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
File opened (read-only)	\??\Q:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
File opened (read-only)	\??\R:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
File opened (read-only)	\??\S:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
File opened (read-only)	\??\V:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
File opened (read-only)	\??\Y:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
File opened (read-only)	\??\B:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
File opened (read-only)	\??\G:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
File opened (read-only)	\??\U:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
File opened (read-only)	\??\Z:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
File opened (read-only)	\??\I:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
File opened (read-only)	\??\T:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
File opened (read-only)	\??\L:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
File opened (read-only)	\??\P:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
File opened (read-only)	\??\W:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
File opened (read-only)	\??\A:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
File opened (read-only)	\??\E:	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2552	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
780	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
780	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
780	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
780	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 2284	780	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe	28
PID 780 wrote to memory of 2284	780	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe	28
PID 780 wrote to memory of 2284	780	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe	28
PID 780 wrote to memory of 2284	780	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe	28
PID 2284 wrote to memory of 2552	2284	cmd.exe	30
PID 2284 wrote to memory of 2552	2284	cmd.exe	30
PID 2284 wrote to memory of 2552	2284	cmd.exe	30
PID 2284 wrote to memory of 2552	2284	cmd.exe	30
PID 2284 wrote to memory of 2680	2284	cmd.exe	31
PID 2284 wrote to memory of 2680	2284	cmd.exe	31
PID 2284 wrote to memory of 2680	2284	cmd.exe	31
PID 2284 wrote to memory of 2680	2284	cmd.exe	31
PID 780 wrote to memory of 2964	780	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe	32
PID 780 wrote to memory of 2964	780	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe	32
PID 780 wrote to memory of 2964	780	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe	32
PID 780 wrote to memory of 2964	780	2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe	32

C:\Users\Admin\AppData\Local\Temp\2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_a0bf6f0601f924eeb9ff269b1e0e168e_icedid.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netstat -ano|findstr ":47315 " > c:\~startingshot_test_port_tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -ano
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- - C:\Windows\SysWOW64\findstr.exe
    findstr ":47315 "
    3⤵
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del c:\~startingshot_test_port_tmp
  2⤵
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ShengquGames\StartingShot\StartingShotc31d6753e78a5f118af7d2e1af5d611b\dataupload.ssconf

Filesize
589B

MD5
95fe52b705799744dec89dcdb9add7ba

SHA1
26f5bf1e7a5e4157a0290ddd9fd09e815f30a6e4

SHA256
520b42e9f27e5fae21345d1359e6d242d44c32b11c4e2312039556c21af0e988

SHA512
4b71c8f68392d24078fb8257601367d49c1c9ecaf5b05a0bcc88a733a98ae21ce46d608711fbe212b41c4e9da258ed1968e8c4d6b67ed21d695aa00844d700ee

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads