157b67e9221e7564b17f785849eb34aeaac048985e2a0fbd70e91fdb31606372

General

Target

2024-09-18_43e14a584e26fdaca7803060eb6630bb_icedid.exe
Size

8.9MB
MD5

43e14a584e26fdaca7803060eb6630bb
SHA1

e5ce732c8e3eded15ae3aeda441999c5558575cc
SHA256

157b67e9221e7564b17f785849eb34aeaac048985e2a0fbd70e91fdb31606372
SHA512

80fc9237633fcb6cebce88e93432ffdb513d6d58d277237a02d84b9dbefcbd03a266462053846fc6baa646dba3406d0b9ba6ef684558462df49b353abce0c6f0
SSDEEP

196608:+mY+wwvoEqtcSFyIo8wjLU1a4IbUzMZ9pLrOKZe5bGcAicyGW:Jvo/tcSFyIobU1pIwzipLrHZe5brAiQW

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4464	autorun.exe

Loads dropped DLL 1 IoCs

pid	Process
4464	autorun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-18_43e14a584e26fdaca7803060eb6630bb_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	autorun.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4464	autorun.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3100	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3100	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2540	2024-09-18_43e14a584e26fdaca7803060eb6630bb_icedid.exe
4464	autorun.exe
4464	autorun.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 4464	2540	2024-09-18_43e14a584e26fdaca7803060eb6630bb_icedid.exe	87
PID 2540 wrote to memory of 4464	2540	2024-09-18_43e14a584e26fdaca7803060eb6630bb_icedid.exe	87
PID 2540 wrote to memory of 4464	2540	2024-09-18_43e14a584e26fdaca7803060eb6630bb_icedid.exe	87

C:\Users\Admin\AppData\Local\Temp\2024-09-18_43e14a584e26fdaca7803060eb6630bb_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-18_43e14a584e26fdaca7803060eb6630bb_icedid.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\2024-09-18_43e14a584e26fdaca7803060eb6630bb_icedid.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4464

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x524 0x438
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\0001-windows-7.btn

Filesize
3KB

MD5
967fdfe0a01c083804673b4976ad6730

SHA1
5d05ade6dd0d1d67ea7879cd8f7779ef53abbd4c

SHA256
72eda9d49bcd0cd3b540f75c4215714378afbb1ce40afcbb7a0b246ab2a44f21

SHA512
50acacf15fa4cfa8319f789fb534cdb4a8d559ceb3e5e832b32015ff2fbee2c3902abfc83bc2493d57298ed32d0aeb6817e077758c4c2c956432b1d3f3c738d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\coollogo_com-31173340.png

Filesize
43KB

MD5
1cb76d7ae528229d025a1baf0b360c87

SHA1
1f2b094e0e8352fb32239d83953b91018663e4cb

SHA256
d0989acea431f84ea440ecb505463059eafe6f38d59aede6e8577bb541d70d6b

SHA512
f233878a82643565f912edb64b81013fea91efdfd121536cb44373e02c6a3615f06da8378c4b20322db8c4dda7d94e029920e16f323004b541c9e41072e1046e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

Filesize
1.5MB

MD5
b213130c93d0df745c056a9b8aefb17c

SHA1
1741e26873f01c4f0b333702ee2c5681b9559f90

SHA256
dce2d47e5c5840d67cd30cdbc006bfedf810a89b720c1d98199c8c2da5431889

SHA512
b429426094b1f9dded37228244e6fec0951d9e5dc03e7e2101b70c9ed8cbc46e0e975fc114475490248be4dae3e52f66ed5a020bbfc21c0ff0781a52e05f4176

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\Computer-Hardware-Keyboard-2-icon.ico

Filesize
109KB

MD5
6a796155cb5cba5d87e9d78559abdb83

SHA1
e7ccceb85fac104590ff6d6f03db4679b29bc56f

SHA256
6801d541e3d4e653591b9c7d0ecb96b50629ddb1e4555a24b8654d2ac2ec511c

SHA512
0bd9f237b6ee104be0a1eb35a33a254fca96ceba444a64834e2b95b807314b5dfb8806f003cb37099c449f35dd98ae04d29700003af85adcc955e41f3e338722

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
6.1MB

MD5
fe9345877a953472951c7309ca0831d0

SHA1
21b4d8f9ebfdf267e694e9f3b396b627109fb23b

SHA256
62e543e2df0a3f973001a3c2caf45831bb994ba1aaab9ff2a0e3fecbcbcaa650

SHA512
f0b584b3b0d7b5cf3ca531d3c1fe9a9a918003250ee8b0ba77f970d59cfdf4c80a3cc45afcef17bb459a0d63fded4d46eb74e20e7a3ad82b1be99875c5e5d3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll

Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua51.dll

Filesize
11KB

MD5
7fa818f532effd80cf7c1c54676e5a0d

SHA1
05ce44c8d0672c9f3ce66436c592442377e69dba

SHA256
1c2d1ba8425139d45de89192d2ae4982e9581f8ae0f22b8497aa0055080237ca

SHA512
38baed895bc71bb890e91a92909f6e78ad34569ce6c7efd8bd9db50080da22697a085f98a3465c3e31165fb9029644e5a0f6bc5ba17d71d7f0dcd31784f0811d

Download Submit

Analysis

Sharing