b295f0efeea35a133b30eb386a14216cd519828b88f4047b11cb9ac543daaac5

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
Size

158KB
MD5

e30d5405e0c75e463d567e485e1d0223
SHA1

ae569f483f95c2b324e4d2118ca2cb84d7386941
SHA256

b295f0efeea35a133b30eb386a14216cd519828b88f4047b11cb9ac543daaac5
SHA512

c916608e29741a531ea0f3c82149305f8d062c69627d1b3ab15ad1bf0ec19cf3cc8441729642e62dda4357b476a50203de4df8b4bcfd3e203b75f1794c76c4d3
SSDEEP

3072:bLyb9xNTwvhIF19br5Bc5OZcOhUsmXkcxyhZAXlDrbHWQM8/Vy1Pvaa+CkzRZ+Y/:uxNTShma5KJqTXkU+mZp

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\system32\\runouce.exe"	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened (read-only)	\??\W:	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened (read-only)	\??\X:	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened (read-only)	\??\J:	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened (read-only)	\??\R:	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened (read-only)	\??\S:	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened (read-only)	\??\N:	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened (read-only)	\??\H:	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened (read-only)	\??\K:	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened (read-only)	\??\L:	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened (read-only)	\??\O:	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened (read-only)	\??\Q:	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened (read-only)	\??\V:	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened (read-only)	\??\Y:	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened (read-only)	\??\E:	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened (read-only)	\??\G:	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened (read-only)	\??\I:	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened (read-only)	\??\Z:	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened (read-only)	\??\M:	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened (read-only)	\??\P:	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened (read-only)	\??\U:	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\runouce.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Windows\SysWOW64\runouce.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\readme.eml	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Shades of Blue.htm	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\SOLVSAMP.XLS	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\readme.eml	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Green Bubbles.htm	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\readme.eml	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Soft Blue.htm	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePage.html	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsFormTemplate.html	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPreviewTemplate.html	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsFormTemplate.html	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\readme.eml	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\readme.eml	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\readme.eml	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\readme.eml	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2036	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	28
PID 2232 wrote to memory of 2036	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	28
PID 2232 wrote to memory of 2036	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	28
PID 2232 wrote to memory of 2036	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	28
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21
PID 2232 wrote to memory of 1336	2232	2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1336
- C:\Users\Admin\AppData\Local\Temp\2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe"
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Users\Admin\AppData\Local\Temp\2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-01_e30d5405e0c75e463d567e485e1d0223_chir_icedid.exe"
    3⤵
    PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml

Filesize
14KB

MD5
a21521208d15ce3a513d33e729a489fa

SHA1
b534038f3652398feb6c64df0548c496e01352a9

SHA256
74340924bbd945a811799f6f373fe30c114916b987e2660c3c6a0bfd4cd7c1be

SHA512
565c1d4607224818dc31ff2d38c166fa5b4d36f210e6d759012776d1e9041d0c252360bd4720e5b2163e2574b606d5343c68d64441297c1dbd2914f406c03b91

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
8156706568e77846b7bfbcc091c6ffeb

SHA1
792aa0db64f517520ee8f745bee71152532fe4d2

SHA256
5e19cfbd6690649d3349e585472385186d99f56a94dc32d9073b83011cea85f8

SHA512
8760f26069296f0fe09532f1244d93a57db4cafa8d06aaa9dc981bcaed4bde05366ef21e6f0c1aadad4478382b59a4e43d26c04185cf2ed965901321d05604b8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
7757fe48a0974cb625e89012c92cc995

SHA1
e4684021f14053c3f9526070dc687ff125251162

SHA256
c0a8aa811a50c9b592c8f7987c016e178c732d7ebfd11aa985a8f0480539fa03

SHA512
b3d4838b59f525078542e7ebbf77300d6f94e13b0bff1c9a2c5b44a66b89310a2593815703f9571565c18b0cdeb84e9e48432208aaa25dff9d2223722902d526

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
451KB

MD5
1d47639695c7aa302c7661e1303fa181

SHA1
d808f86b5dab02e171c30098a6917d54462dd165

SHA256
e94d79f0ae13e6f7a1635c5dab5f8941f4e0daf63b215ff99f8e5ab7de037224

SHA512
457c6e4d3948d86cf81afb6f97b728eb379f3205ff2a4790d46e61620d667cd9588f8f319a57337d8d7b5c714c6828649df5d0672143beb604fd9f28a5a16407

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
640KB

MD5
f35f3ad9f8fd4b0761904bb32b635ddc

SHA1
43ae24bd47280cc9528b5954bead661e26a8c8f1

SHA256
29f4db4df0fcc17210372c08a911638fbaa14f6096bc611cca2ecb7896fd9033

SHA512
13ac3e0890a559f6304cccf22ef2c4beced5b77b43012e81c3ae86553fcf8a17ed78cc996496199068338e476714964d26adc85a20a1a747ff44bcc6f64087f3

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
640KB

MD5
0976d69db5a5deee3bd16e23aba31a8c

SHA1
153f092cc96cd3ac05a16a01d2ff1c95576a61bc

SHA256
722b56a9b6201880c87f1d4a780aee4dd5cc84781b1a9836e8f8c93abbb6ed59

SHA512
543d9b55bcd21b38dfdd3a3eab29d5df33f52d129d840ed2b006b4bef6b3746a575c94d6f2a14fcaadca04dd89aaff10d81ee71de7726ea0e359271b30188ad5

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
461KB

MD5
e450399a8f2e4e8c9f62f777f3881c18

SHA1
7f594e1f91c3dbaccf6a1f5baaa43e32fc638221

SHA256
9385511bb186086f9d1d269474e9b88af0622783cafd9fb147e318f47c4584aa

SHA512
1a42dfc29c4d366524fda296262a612e805441726b8b0b1b67a77171964c45682f9df3c8817c221fa7406801caac9bfb9414dadd416daf8b29f62661db13b3bf

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
451KB

MD5
92b15480b2fa5b934993588fc0b2d6ff

SHA1
15a95c9990645b56b757600da5ff055f4147671a

SHA256
3c44d1b1bdf8067d9b89ad9335a193f86cdd1949745ebe966a4404d4ea3a31f6

SHA512
b92d6d36fb20667d40cf3f2858476229d8f199df0a946e878aece31186e838ca7f7bf6a8e0c556ee6eb0c154a2e0eed35e18b6f69f4302cc931669973f9bc708

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
461KB

MD5
ce2ebf9f0df32df80516356ad21d1d7e

SHA1
cbbeab4dd3c1788c9c14560a0cfff38e93f776b2

SHA256
8e9c03a0f2a126d2167c9a92a22cdb00f40aa7e8f8dedbe057ae6a07c289f660

SHA512
bbeb9f34df8c6c7af396f94b8e444459b9b39410c19a5e00e57a085bada8356e21ce8f1f522a21d788983adf59c34a791db196f830df7331154e748ad047885b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ose00000.exe

Filesize
152KB

MD5
685a87a2f4e33d3c6391ad2228755d48

SHA1
3a22c3195ca832068521a7a9f6ea62f3e68d44c2

SHA256
391e04ac26ed5ecd2e13b82463df3b35812f8554970a247bb84b735b139b61cb

SHA512
c07fa08152d5c43b9fb673b06b84da7bbe8dea5c9772d2fa1179939c9cea5696e18fd437c55a78f76b8fa3c637a71ce839d9af817d384820ab8d57b4d5215abc

Download Submit
C:\Windows\SysWOW64\runouce.exe

Filesize
10KB

MD5
22680cf201d707272447df122009b8a8

SHA1
b65b870974a476de611a6eca8156c79d0eb4bde7

SHA256
e386ebc7a811b0fffca6211ca786e0af4ceb754fc92e33c0f8a6a3037166eb38

SHA512
e2a3a0832ee65a0576f572585c6098a0d1bed00fe4590ab154bc6c26dbd7706ec9e33e6601c0459fb463239e09dca09b50ed0c4d9a7b16eb3e3f9b868e22d411

Download Submit
C:\vcredist2010_x86.log.html

Filesize
81KB

MD5
0d38f0b1cac2599b7b420d48cdee33b4

SHA1
948daaa38c68326b29044c11190f03258504383a

SHA256
3167dd18b54008236086b9a7095fbe5b818e78750396bfb1f63cf85a32c12778

SHA512
bd52e74fa7f511d1eef00c45af820fa99cc2ab1728be6f37ccf828fed2afafbb9b7c62efd9aae1b6130e70ef56cf8e86462e855f03d21d3a106f9f0142b17440

Download Submit
memory/1336-5-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/1336-4-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/2036-2-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2036-1-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2232-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2232-853-0x0000000000250000-0x000000000027C000-memory.dmp

Filesize
176KB

Download
memory/2232-658-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads