253fc19a758662b46566ee43761edd4524b740119ac7b59fbb7c2ef6434e461f

General

Target

2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Size

3.7MB
MD5

f8afd2edd536bf7e11a469ef4832713f
SHA1

2e14c2ec2d1b9935efd0759ce43b38bf38c4a092
SHA256

253fc19a758662b46566ee43761edd4524b740119ac7b59fbb7c2ef6434e461f
SHA512

514d508953b6ab9d69666ac4023af58a1397dacb745daeba8d3161493c9776249a73df1824ce9f32ab682a3ed61c3dbd1e6409447efaf0644531f360b032e517
SSDEEP

49152:fRmTgwMQo7af2fH43yCzEwly31ywbQ4146caTtPhF+P17n8Tfm:fRGglQAH4vzvQ1yw8z6bTtPz+Nb8TO

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\contexts = "243"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEGetAll.htm"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2004	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeRestorePrivilege	2004	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2004	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
2004	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
2004	2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_f8afd2edd536bf7e11a469ef4832713f_icedid.exe"
1⤵
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads