1f9ceb899968ccf76bf853ed25c69ff758a1cb24630a60c34dcb06596796baeb

General

Target

2024-09-29_6e24cfb074482688a2eb6e203e5faa98_icedid.exe
Size

7.5MB
MD5

6e24cfb074482688a2eb6e203e5faa98
SHA1

a7d0254be4ed4bda1ec9843d3ebb36c485248566
SHA256

1f9ceb899968ccf76bf853ed25c69ff758a1cb24630a60c34dcb06596796baeb
SHA512

3e4f4c681ec3ee3fc69944afa60c77c4766f6bf8a168bd8153e521a7a44b1f2b737dfac7b47c5cb50993d15b44417afa5a65d5fc8869d24ef205f9cdb1e3ff7d
SSDEEP

196608:HmY+ypo9zYMXsJagR+NxtmOLYEmSwflXGNWoRnLIs:l1pagR+NxRmVnoRLIs

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2936	autorun.exe

Loads dropped DLL 2 IoCs

pid	Process
2204	2024-09-29_6e24cfb074482688a2eb6e203e5faa98_icedid.exe
2936	autorun.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001870c-30.dat	upx
behavioral1/memory/2204-34-0x00000000024E0000-0x0000000002BD9000-memory.dmp	upx
behavioral1/memory/2936-36-0x0000000000400000-0x0000000000AF9000-memory.dmp	upx
behavioral1/memory/2936-43-0x0000000000400000-0x0000000000AF9000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-29_6e24cfb074482688a2eb6e203e5faa98_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	autorun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2588	DllHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2204	2024-09-29_6e24cfb074482688a2eb6e203e5faa98_icedid.exe
2936	autorun.exe
2936	autorun.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2936	2204	2024-09-29_6e24cfb074482688a2eb6e203e5faa98_icedid.exe	28
PID 2204 wrote to memory of 2936	2204	2024-09-29_6e24cfb074482688a2eb6e203e5faa98_icedid.exe	28
PID 2204 wrote to memory of 2936	2204	2024-09-29_6e24cfb074482688a2eb6e203e5faa98_icedid.exe	28
PID 2204 wrote to memory of 2936	2204	2024-09-29_6e24cfb074482688a2eb6e203e5faa98_icedid.exe	28
PID 2204 wrote to memory of 2936	2204	2024-09-29_6e24cfb074482688a2eb6e203e5faa98_icedid.exe	28
PID 2204 wrote to memory of 2936	2204	2024-09-29_6e24cfb074482688a2eb6e203e5faa98_icedid.exe	28
PID 2204 wrote to memory of 2936	2204	2024-09-29_6e24cfb074482688a2eb6e203e5faa98_icedid.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-09-29_6e24cfb074482688a2eb6e203e5faa98_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-29_6e24cfb074482688a2eb6e203e5faa98_icedid.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\2024-09-29_6e24cfb074482688a2eb6e203e5faa98_icedid.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2936

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

Filesize
13KB

MD5
5998932d737c2d3ed01c8300f6cb799d

SHA1
2b0a680c553a5069357d82d31e6859d33bc89e13

SHA256
edb406448f4fff3ec449389631797b4d57acff7f30434ad54ecd50504d629ad0

SHA512
ee5e2bf2b955b1d2bf7da18eb315cdb63f6bcfe625993882a1046de1eb81296f8ebb2f56b535e8fd0c3079afee4e81d77f05365ebfea8cad69c281d807b226f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\Logo-257-554-black-graphic.ico

Filesize
211KB

MD5
a0f905cf9ded69a296d9eac9db790ede

SHA1
164c8d907b308767714818fa206087be04e76663

SHA256
57226ad3848cc295c5a1fca957e05080ba231f04c501e5eb6912c08be3dcdaf3

SHA512
46554263c60e20c40de2e3b8decc9dfb47413444a1316c48030df8277d106e98e6cae2dc5122a94c406b5625859a221491ac654de43d493259cc814f9a817322

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll

Filesize
327KB

MD5
50f1d9f2093914c7712068608f3d66f2

SHA1
c38c655526b9ba929f01259cd35abb65744448f0

SHA256
ebeb211dfe4fce993d63206b2e3f284b569274db4730a8ee341ee81eccac9a5f

SHA512
07841d260770288f34b3e6413f6044742d82794d0812d9d58ebb2b881f935ee7661c94acddcf3a25817a98168789de0e0e0a98baaddbac2ec097a3efdd22c9ac

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
2.8MB

MD5
c62b3d152add97d093cb23fcd55b2167

SHA1
196b85f64e03d01ca9365d2f7be752643995f897

SHA256
f5dc54eafe085cf0bf3202c0913a3b4e21a5443ad4bb1817055d4021dbaed231

SHA512
486fa4e96b6eeb62619b1b61bdcc66462d414f34f1ae9a651a7e181594c3c73a3864f59a054df0956a52721bfae1ad04b1dc5caffbe7c0badb5333270f4c3e8d

Download Submit
memory/2204-34-0x00000000024E0000-0x0000000002BD9000-memory.dmp

Filesize
7.0MB

Download
memory/2588-42-0x0000000000190000-0x0000000000192000-memory.dmp

Filesize
8KB

Download
memory/2936-36-0x0000000000400000-0x0000000000AF9000-memory.dmp

Filesize
7.0MB

Download
memory/2936-41-0x0000000002940000-0x0000000002942000-memory.dmp

Filesize
8KB

Download
memory/2936-43-0x0000000000400000-0x0000000000AF9000-memory.dmp

Filesize
7.0MB

Download

Analysis

Sharing