8a4c8d05bc091e8aef7b79d3e34507839baf08c386a9f9c4a20aef64b875f56d

Analysis

max time kernel
127s
max time network
128s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Size

17.4MB
MD5

d1b9f82d0a6107f71f23b23a3529255b
SHA1

02f798260b03508cbf148e262dc23e8b39f3bee6
SHA256

8a4c8d05bc091e8aef7b79d3e34507839baf08c386a9f9c4a20aef64b875f56d
SHA512

acce51130136ca3f24c451e097ce51194a68c9c7337b401065a4ad5a0eedc64b4e305634e53a5b18ceaed65e4337487c074592d01a5a09bde57411eecb750899
SSDEEP

393216:KcbavUeJ2deJjwDfETQxvjdqYeqwb44tAszcRtqfZPjYv+:tba8SmdqLqp4t5+AfKm

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2836	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
2836	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\FEIQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe 1"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File opened (read-only)	\??\B:	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\feiq\Db\info.db-journal	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\detect15368.txt	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\detect17814.txt	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\tplhtml\ÏµÍ³Ö÷Ò³Ä£°å1.html	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\1e84c1b9b4753b2876030181a74e3d0f.gif	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\860d4f7f6782285406a96c092b38805d.jpg	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\aebf40f73551de45476780ecf0ff3c20.jpg	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\4f4a781db030ae8d5e84d4caf90f1747.png	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\131f5b074d9f8bc6049cfde364530875.gif	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\Db\info.db	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File opened for modification	C:\Program Files\feiq\zone\zonetpl.db-journal	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\tplhtml\ÏµÍ³ÈÕÖ¾Ä£°å3.html	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\0fa3ead2d292051eb73f200165ffd7c8.gif	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\01f31aed202f0b31ea2879550c239585.gif	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\5e96edd4516f348c2317af845112023e.gif	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\df453317c93f4df742d398436e1d5646.gif	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File opened for modification	C:\Program Files\feiq\Db\winfo.db-journal	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File opened for modification	C:\Program Files\feiq\zone\zonetpl.db	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\tplhtml\ÏµÍ³ÈÕÖ¾Ä£°å1.html	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\6361c909a9c0ff4e0867d5fb6ae28914.jpg	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\zone.db	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\zonetpl.db	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\zonetpl.zip	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\03c714fa9758d8e262c344786c436230.jpg	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\tplhtml\ÏµÍ³Ö÷Ò³Ä£°å2.html	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\GifDll\ImageOle.dll	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\Db\resumefile.db	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\Tuiguang\detect818.txt	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File opened for modification	C:\Program Files\feiq\Db\winfo.db	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File opened for modification	C:\Program Files\feiq\zone\zonecache.db-journal	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\02d8ba1bdac27d6f1d10c04bf89dab65.jpg	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\722353e851c95d7ae608bd7ce5c75efc.jpg	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\AppBox\Logo\cfg.db	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\2f561b63b7d93a7f55573b99f212343b.jpg	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\6e7e18d4569bfe59210b2947105f05f0.gif	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\34458eb1df38a60c2209182c43d1f5aa.gif	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File opened for modification	C:\Program Files\feiq\Db\resumefile.db	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File opened for modification	C:\Program Files\feiq\Db\resumefile.db-journal	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\Db\winfo.db	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\tplhtml\ÏµÍ³ÈÕÖ¾Ä£°å2.html	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\edaa43447b5883a61f054bd27eceba18.gif	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\detect16174.txt	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\AppBox\detect460.txt	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\Tuiguang\data.db	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File opened for modification	C:\Program Files\feiq\AppBox\Logo\cfg.db	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File opened for modification	C:\Program Files\feiq\zone\zone.db	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\zonecache.db	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File opened for modification	C:\Program Files\feiq\zone\zonecache.db	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\tplhtml\ÏµÍ³ÈÕÖ¾Ä£°å5.html	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\7f5f59a3a5dd55db4fabf72fdc045485.gif	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File opened for modification	C:\Program Files\feiq\Tuiguang\data.db	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\detect12618.txt	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\tplhtml\ÏµÍ³ÈÕÖ¾Ä£°å4.html	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\2c52d91c9521d197139e92cee16e8322.jpg	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\683a2bbbfa0a4e282bae11dc5eebf675.gif	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\c1d0cd7d4d57a7cbe1ae8bc0f1c2fe27.gif	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\f5eb33897069eafcefcf4896dc5db673.gif	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\detect16543.txt	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File opened for modification	C:\Program Files\feiq\AppBox\Logo\cfg.db-journal	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File opened for modification	C:\Program Files\feiq\zone\zone.db-journal	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\tplhtml\ÏµÍ³Ö÷Ò³Ä£°å3.html	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File opened for modification	C:\Program Files\feiq\Db\info.db	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\FeiqCfg.xml	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
File created	C:\Program Files\feiq\zone\image\2401c01dd3fdbe7d80f02b26d11d8f7f.jpg	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddyCollection.1\CLSID	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88118872-FA84-4324-BD58-8A804ABB339D}\ProgID\ = "FeiQ.FQCalendar.1"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1129492B-BE39-4F68-9FB2-954A15642CE6}\TypeLib\ = "{83863943-2942-4480-83CF-CE99E5655801}"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4AB3843-3548-4e73-B99D-620DF075BB32}\TypeLib	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE8BCAB3-73D7-4316-872E-2C776302ECD4}\ = "FQRoot Class"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQUi.1\ = "CFQUi Class"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator\CLSID	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQMenu.1\CLSID\ = "{97819BF3-8E21-477c-9162-5AED70E4155A}"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39AF7A0C-F38A-420F-9611-6C848375977B}\AppID = "{B6938C8A-42A7-40AE-A4A9-85EAC54FC8F8}"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddy.1\ = "FQBuddy Class"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQTools\CLSID\ = "{1129492B-BE39-4F68-9FB2-954A15642CE6}"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.Application	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQData	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6620960-3908-4FE6-B347-9744EEF0ABE2}\LocalServer32	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0\win32	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39AF7A0C-F38A-420F-9611-6C848375977B}\ProgID\ = "FeiQ.FQBuddyCollection.1"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97819BF3-8E21-477c-9162-5AED70E4155A}\TypeLib\ = "{83863943-2942-4480-83CF-CE99E5655801}"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39AF7A0C-F38A-420F-9611-6C848375977B}	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImageOle.GifAnimator	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Control	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQMenu.1	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88118872-FA84-4324-BD58-8A804ABB339D}\TypeLib\ = "{83863943-2942-4480-83CF-CE99E5655801}"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1129492B-BE39-4F68-9FB2-954A15642CE6}\VersionIndependentProgID	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0525C8BE-6CCA-4AF7-B72A-1D81756978F0}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe\""	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQUi\ = "CFQUi Class"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddyCollection\CLSID\ = "{39AF7A0C-F38A-420F-9611-6C848375977B}"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQFolderBar\CurVer	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE8BCAB3-73D7-4316-872E-2C776302ECD4}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe\""	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\TypeLib	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQMenu\CurVer	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1129492B-BE39-4F68-9FB2-954A15642CE6}\ProgID	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Version	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddyCollection	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97819BF3-8E21-477c-9162-5AED70E4155A}\TypeLib	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88118872-FA84-4324-BD58-8A804ABB339D}\LocalServer32	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.Application.1	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQUi.1\CLSID\ = "{B6620960-3908-4FE6-B347-9744EEF0ABE2}"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97819BF3-8E21-477c-9162-5AED70E4155A}\VersionIndependentProgID	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1129492B-BE39-4F68-9FB2-954A15642CE6}	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQData.1\CLSID	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQData.1\CLSID\ = "{C4AB3843-3548-4e73-B99D-620DF075BB32}"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE8BCAB3-73D7-4316-872E-2C776302ECD4}\LocalServer32	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQCalendar\CLSID	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}\TypeLib	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}\TypeLib\ = "{83863943-2942-4480-83CF-CE99E5655801}"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQTools\ = "FQTools Class"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.Application\CurVer\ = "FeiQ.Application.1"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.ClientObjectsModule.1\CLSID\ = "{A5CAC5D2-0527-414b-979F-0FAA325646CC}"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78669512-A747-4933-8DEC-6C1196599BFB}	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ = "IGifAnimator"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39AF7A0C-F38A-420F-9611-6C848375977B}\LocalServer32	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQBuddy\CLSID	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88118872-FA84-4324-BD58-8A804ABB339D}\ProgID	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A5CAC5D2-0527-414b-979F-0FAA325646CC}\VersionIndependentProgID	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQUi.1	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97819BF3-8E21-477c-9162-5AED70E4155A}\AppID = "{B6938C8A-42A7-40AE-A4A9-85EAC54FC8F8}"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQMenu.1\ = "FQMenu Class"	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FeiQ.FQMenu.1\CLSID	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBAFFFA3-8012-4E65-902C-9DF4360BFC3B}\LocalServer32	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2836	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
2836	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
2836	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2836	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
2836	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2836	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
2836	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
2836	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
2836	2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_d1b9f82d0a6107f71f23b23a3529255b_huhk_icedid_vidar.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\feiq\feiq.ini

Filesize
40B

MD5
ad7812ebc6c6bf360977baac663a42f5

SHA1
72844f6c194ffbbc2fb254e76951fe2cd4e479a5

SHA256
a7b8987fdcc95136c90be17665bb4b21d07f0270a427592eea6f4fc63422d9df

SHA512
d5b4453e2df7121ade86df50e444abc27a9c4a9e72eaddf5f95c4befafe0e7829a0f63509c5cc7db7ba5e86e3efc85eac3b1da9c26499ad62362af6dff17c7e9

Download Submit
\Program Files\feiq\GifDll\ImageOle.dll

Filesize
69KB

MD5
c653904916e99c2653bf3b339c734f05

SHA1
6cb3cde5b5f7ffd76b0de150feb15801f705dd57

SHA256
a11cd7f420a737e8127012c24dc3fbce1b2e6c6c3425f2028c6171a7e8eb7785

SHA512
d4aa6713140d2391ee56352dc350e892ffc905843e74f1cdc99b0ce1645ec1d1ba4e990a8ee847928aabd10de0488f035c5df5e005ec7048c4f07d88d9082e6b

Download Submit
memory/2836-17-0x0000000000400000-0x0000000001586C00-memory.dmp

Filesize
17.5MB

Download
memory/2836-26-0x0000000000400000-0x0000000001586C00-memory.dmp

Filesize
17.5MB

Download
memory/2836-35-0x0000000000400000-0x0000000001586C00-memory.dmp

Filesize
17.5MB

Download
memory/2836-77-0x0000000000400000-0x0000000001586C00-memory.dmp

Filesize
17.5MB

Download
memory/2836-84-0x0000000000400000-0x0000000001586C00-memory.dmp

Filesize
17.5MB

Download
memory/2836-111-0x0000000000400000-0x0000000001586C00-memory.dmp

Filesize
17.5MB

Download
memory/2836-112-0x0000000000400000-0x0000000001586C00-memory.dmp

Filesize
17.5MB

Download
memory/2836-115-0x0000000000400000-0x0000000001586C00-memory.dmp

Filesize
17.5MB

Download
memory/2836-118-0x0000000000400000-0x0000000001586C00-memory.dmp

Filesize
17.5MB

Download
memory/2836-121-0x0000000000400000-0x0000000001586C00-memory.dmp

Filesize
17.5MB

Download
memory/2836-124-0x0000000000400000-0x0000000001586C00-memory.dmp

Filesize
17.5MB

Download
memory/2836-129-0x0000000000400000-0x0000000001586C00-memory.dmp

Filesize
17.5MB

Download
memory/2836-130-0x0000000000400000-0x0000000001586C00-memory.dmp

Filesize
17.5MB

Download
memory/2836-143-0x0000000000400000-0x0000000001586C00-memory.dmp

Filesize
17.5MB

Download
memory/2836-142-0x0000000000400000-0x0000000001586C00-memory.dmp

Filesize
17.5MB

Download
memory/2836-154-0x0000000000400000-0x0000000001586C00-memory.dmp

Filesize
17.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads