7e8e9bf6ef003cf53c3f036315acb51ba792bf827aade73adf131ef95f56e9ab

General

Target

2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe
Size

639KB
MD5

8a2df8050fc8bdfd46a3efe7893f2951
SHA1

de03161e09d8b8ab3c8099873db9f0d6ed7bc017
SHA256

7e8e9bf6ef003cf53c3f036315acb51ba792bf827aade73adf131ef95f56e9ab
SHA512

07e07abec0ec68a3d171b2dee064e07d0039934c586c1dff55e0c4b7b27f2f79992b06c413c3a8e2b0c76b0c9a540ca0e9fb7e793a3fa84a5a253876316bcd04
SSDEEP

12288:/WBasotvO7uknSY7J1o3xIamffkReBiNo+L7NSDAkiOolkV:eBasowSg1ohSkROMo+f1kZolG

Score

7^/10

defense_evasion discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe

Executes dropped EXE 2 IoCs

pid	Process
2596	AhnSvc.exe
4472	AhnSvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AhnUpadate = "\"C:\\ProgramData\\AhnLab\\AhnSvc.exe\" /run"	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 828 set thread context of 5036	828	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	86
PID 2596 set thread context of 4472	2596	AhnSvc.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AhnSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AhnSvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe
Token: SeDebugPrivilege	4472	AhnSvc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
828	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe
828	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe
2596	AhnSvc.exe
2596	AhnSvc.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 5036	828	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	86
PID 828 wrote to memory of 5036	828	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	86
PID 828 wrote to memory of 5036	828	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	86
PID 828 wrote to memory of 5036	828	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	86
PID 828 wrote to memory of 5036	828	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	86
PID 828 wrote to memory of 5036	828	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	86
PID 828 wrote to memory of 5036	828	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	86
PID 828 wrote to memory of 5036	828	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	86
PID 828 wrote to memory of 5036	828	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	86
PID 828 wrote to memory of 5036	828	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	86
PID 5036 wrote to memory of 2596	5036	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	87
PID 5036 wrote to memory of 2596	5036	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	87
PID 5036 wrote to memory of 2596	5036	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	87
PID 5036 wrote to memory of 1856	5036	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	88
PID 5036 wrote to memory of 1856	5036	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	88
PID 5036 wrote to memory of 1856	5036	2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe	88
PID 2596 wrote to memory of 4472	2596	AhnSvc.exe	90
PID 2596 wrote to memory of 4472	2596	AhnSvc.exe	90
PID 2596 wrote to memory of 4472	2596	AhnSvc.exe	90
PID 2596 wrote to memory of 4472	2596	AhnSvc.exe	90
PID 2596 wrote to memory of 4472	2596	AhnSvc.exe	90
PID 2596 wrote to memory of 4472	2596	AhnSvc.exe	90
PID 2596 wrote to memory of 4472	2596	AhnSvc.exe	90
PID 2596 wrote to memory of 4472	2596	AhnSvc.exe	90
PID 2596 wrote to memory of 4472	2596	AhnSvc.exe	90
PID 2596 wrote to memory of 4472	2596	AhnSvc.exe	90

C:\Users\Admin\AppData\Local\Temp\2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Local\Temp\2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\ProgramData\AhnLab\AhnSvc.exe
    "C:\ProgramData\AhnLab\AhnSvc.exe" /run
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\ProgramData\AhnLab\AhnSvc.exe
      "C:\ProgramData\AhnLab\AhnSvc.exe" /run
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\2024-10-09_8a2df8050fc8bdfd46a3efe7893f2951_icedid.exe" >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AhnLab\AhnSvc.exe

Filesize
639KB

MD5
498150412c7f5bea64d16c9f2a06419b

SHA1
5c9d8281266ba08a1e4a9717024f23fd0d7ae230

SHA256
ab3a8ce0b37d3fcd5dda83002e4eaf7ace32a1cee97c07ccbf98d382478ce86b

SHA512
9f3f8b3e197fa5cf76a38133d63b71b02b6737e82631ef9ba1df79b17f1964270a39f192dcad034f7247b45f3502600d3233a9e6f3432b15481622bd7cf8dc86

Download Submit
memory/828-1-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/828-0-0x0000000000401000-0x0000000000468000-memory.dmp

Filesize
412KB

Download
memory/2596-13-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4472-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4472-18-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4472-16-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4472-21-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4472-27-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5036-3-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5036-5-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5036-12-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5036-10-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/5036-4-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5036-2-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads