7e8e9bf6ef003cf53c3f036315acb51ba792bf827aade73adf131ef95f56e9ab

General

Target

2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe
Size

639KB
MD5

8a2df8050fc8bdfd46a3efe7893f2951
SHA1

de03161e09d8b8ab3c8099873db9f0d6ed7bc017
SHA256

7e8e9bf6ef003cf53c3f036315acb51ba792bf827aade73adf131ef95f56e9ab
SHA512

07e07abec0ec68a3d171b2dee064e07d0039934c586c1dff55e0c4b7b27f2f79992b06c413c3a8e2b0c76b0c9a540ca0e9fb7e793a3fa84a5a253876316bcd04
SSDEEP

12288:/WBasotvO7uknSY7J1o3xIamffkReBiNo+L7NSDAkiOolkV:eBasowSg1ohSkROMo+f1kZolG

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1900	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2384	AhnSvc.exe

Loads dropped DLL 2 IoCs

pid	Process
3056	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe
3056	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AhnUpadate = "\"C:\\ProgramData\\AhnLab\\AhnSvc.exe\" /run"	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3052 set thread context of 3056	3052	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	30

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AhnSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3052	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe
3052	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe
2384	AhnSvc.exe
2384	AhnSvc.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 3056	3052	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	30
PID 3052 wrote to memory of 3056	3052	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	30
PID 3052 wrote to memory of 3056	3052	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	30
PID 3052 wrote to memory of 3056	3052	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	30
PID 3052 wrote to memory of 3056	3052	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	30
PID 3052 wrote to memory of 3056	3052	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	30
PID 3052 wrote to memory of 3056	3052	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	30
PID 3052 wrote to memory of 3056	3052	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	30
PID 3052 wrote to memory of 3056	3052	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	30
PID 3052 wrote to memory of 3056	3052	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	30
PID 3052 wrote to memory of 3056	3052	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	30
PID 3056 wrote to memory of 2384	3056	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	31
PID 3056 wrote to memory of 2384	3056	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	31
PID 3056 wrote to memory of 2384	3056	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	31
PID 3056 wrote to memory of 2384	3056	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	31
PID 3056 wrote to memory of 1900	3056	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	32
PID 3056 wrote to memory of 1900	3056	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	32
PID 3056 wrote to memory of 1900	3056	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	32
PID 3056 wrote to memory of 1900	3056	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	32

C:\Users\Admin\AppData\Local\Temp\2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\ProgramData\AhnLab\AhnSvc.exe
    "C:\ProgramData\AhnLab\AhnSvc.exe" /run
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe" >> NUL
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\AhnLab\AhnSvc.exe

Filesize
639KB

MD5
00eb548b5643e141f85d6538f1162f88

SHA1
8f7827f2f96b9677196656e0fe47ca19b72114ef

SHA256
2b05d140fbd1ece5314be2b8f2285545565cdb798cee3f26d5aa072dbe98c6b5

SHA512
1bc815182f10fe1c1acc9d51ecf436b47b99bcd5b4bdb808b985addb7f3f77eaa52487e3df3b68c41fb9e1c86efbf641bfbe5d24eb712f424cc5801d6780d90c

Download Submit
memory/2384-29-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3052-1-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3052-0-0x0000000000401000-0x0000000000468000-memory.dmp

Filesize
412KB

Download
memory/3056-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3056-16-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3056-19-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3056-6-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3056-4-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3056-2-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3056-11-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3056-18-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3056-8-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3056-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3056-30-0x0000000000420000-0x00000000004FF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads