66efd841fe3f48cba194688551284c8b7b775d8dd7401b813fd879bf7b366e7f

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe
Size

2.0MB
MD5

431c75b491aa7535b92c5d9c00e23675
SHA1

08f45830bc988aa234db210881c3e6a10c92cd5a
SHA256

66efd841fe3f48cba194688551284c8b7b775d8dd7401b813fd879bf7b366e7f
SHA512

6b0c1c9b8fb53261cd400a304c8d01bd0980186f26e9ec6215d7b87eeb1199321a8d3043757ec31047d72c05c656f2c3b27cce6d6e0acc95ea3ed9023d0c023e
SSDEEP

49152:6X4uXjo0Zdx+3M7TF5D2n+H5cOoUao+vib4rMw:e4uTo0Zdxzs9Oobo+q8Mw

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe

Executes dropped EXE 2 IoCs

pid	Process
4712	svchost.exe
4988	QQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQ.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4692	2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe
4692	2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe
4712	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 4712	4692	2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe	92
PID 4692 wrote to memory of 4712	4692	2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe	92
PID 4692 wrote to memory of 4988	4692	2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe	93
PID 4692 wrote to memory of 4988	4692	2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe	93
PID 4692 wrote to memory of 4988	4692	2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe	93

C:\Users\Admin\AppData\Local\Temp\2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_431c75b491aa7535b92c5d9c00e23675_icedid.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4712
- C:\Users\Admin\AppData\Roaming\QQ.exe
  "C:\Users\Admin\AppData\Roaming\QQ.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1304,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:8
1⤵
PID:10632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\QQ.exe

Filesize
940KB

MD5
b36366f4a27987d6de47887b03f29c68

SHA1
6f290bd6c132ec5c824558a29bdf75d25ced94e3

SHA256
4cc1ab70e6fd0d4441c778d40212c6e3114e14d56da85717214f8498e1c1501b

SHA512
a9441175872e88fc49482ef4707fad0e1f15a3ee1f4c74f3a2fafd3744968025d35ca61ed1905239a01df58511985e00708cdae7cb9acae4cca8b51032e02359

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
296KB

MD5
7460f67864161928611617d5c28dada8

SHA1
f1de37cb94fc08b4897fe89f57eff6fb07250a20

SHA256
f3c6834b83000b99f2bbef17060d8379f7519a16a6bcef1780aa06e141e57875

SHA512
f864719ecb83a9f5534edbc410361d27e036d8b6a545ef48996968893f0e258461edc96d0c48ab75890c08c146837b3a0997cf6b666d17da269d4df525eb852e

Download Submit
memory/4988-19-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/4988-20-0x00000000750C0000-0x00000000752D5000-memory.dmp

Filesize
2.1MB

Download
memory/4988-3292-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download