31483762dc559a0df58671c0b6120712f5bc813df50dbc6016266ae515d2eea6

Analysis

max time kernel
20s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-01_4aae0c2f7e79ea69ba2eb9a76111f910_icedid.exe
Size

2.3MB
MD5

4aae0c2f7e79ea69ba2eb9a76111f910
SHA1

6cc66262c629373351d073d27dcd87409d65629f
SHA256

31483762dc559a0df58671c0b6120712f5bc813df50dbc6016266ae515d2eea6
SHA512

defa4fb5eddfe14c2f292d73c0caa05674f4109fe60acfa02b505134be5aecea7d25b52ade260c0cfa4d51975fdc1e284bd755a4daf3d37656f051be5eef9985
SSDEEP

49152:QYkMmLiSmcNKg2zLOb9fbS+hkt9gYxV1XJ44oQzOZQ852lH1Q:7kMmLiS7NizLOb9fbSHngYxV1XXzOn+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2136	317C.tmp

Loads dropped DLL 2 IoCs

pid	Process
1220	2024-07-01_4aae0c2f7e79ea69ba2eb9a76111f910_icedid.exe
1220	2024-07-01_4aae0c2f7e79ea69ba2eb9a76111f910_icedid.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll	317C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Filters\odffilt.dll	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXPSRV.DLL	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\FPWEC.DLL	317C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api	317C.tmp
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\RICHED20.DLL	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	317C.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msmdlocal.dll	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\USP10.DLL	317C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\authplay.dll	317C.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\ITIRCL55.DLL	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSO.DLL	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll	317C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Updater.api	317C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXP_PDF.DLL	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FDATE.DLL	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\VBE7.DLL	317C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	317C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX8.x3d	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1XTOR.DLL	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\MSB1FREN.DLL	317C.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	317C.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\MSCONV97.DLL	317C.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXSLE.dll	317C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Csi.dll	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OSetupPS.dll	317C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.dll	317C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api	317C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search5.api	317C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCH.DLL	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FPERSON.DLL	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WPFT532.CNV	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	317C.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	317C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEREP.DLL	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FSTOCK.DLL	317C.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeLinguistic.dll	317C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIBUtils.dll	317C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp	317C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.aup	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\MOFL.DLL	317C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Real.mpp	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.DLL	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\xmlrw.dll	317C.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll	317C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACECORE.DLL	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\MSOSV.DLL	317C.tmp
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	317C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXEV.DLL	317C.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1220	2024-07-01_4aae0c2f7e79ea69ba2eb9a76111f910_icedid.exe
1220	2024-07-01_4aae0c2f7e79ea69ba2eb9a76111f910_icedid.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1220	2024-07-01_4aae0c2f7e79ea69ba2eb9a76111f910_icedid.exe
1220	2024-07-01_4aae0c2f7e79ea69ba2eb9a76111f910_icedid.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1220	2024-07-01_4aae0c2f7e79ea69ba2eb9a76111f910_icedid.exe
1220	2024-07-01_4aae0c2f7e79ea69ba2eb9a76111f910_icedid.exe
1220	2024-07-01_4aae0c2f7e79ea69ba2eb9a76111f910_icedid.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2136	1220	2024-07-01_4aae0c2f7e79ea69ba2eb9a76111f910_icedid.exe	28
PID 1220 wrote to memory of 2136	1220	2024-07-01_4aae0c2f7e79ea69ba2eb9a76111f910_icedid.exe	28
PID 1220 wrote to memory of 2136	1220	2024-07-01_4aae0c2f7e79ea69ba2eb9a76111f910_icedid.exe	28
PID 1220 wrote to memory of 2136	1220	2024-07-01_4aae0c2f7e79ea69ba2eb9a76111f910_icedid.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-07-01_4aae0c2f7e79ea69ba2eb9a76111f910_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-01_4aae0c2f7e79ea69ba2eb9a76111f910_icedid.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\317C.tmp
  C:\Users\Admin\AppData\Local\Temp\317C.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\317C.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
memory/1220-0-0x0000000000320000-0x00000000003B2000-memory.dmp

Filesize
584KB

Download
memory/1220-1-0x0000000000320000-0x00000000003B2000-memory.dmp

Filesize
584KB

Download