Analysis
-
max time kernel
138s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2024 18:50
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe
-
Size
14.0MB
-
MD5
9b96bb0642e2665096d9f55905456b09
-
SHA1
aa1d4448549480f49adff7dba282042d766c0771
-
SHA256
fb491e160ff7c68719378487269a5430ec08bf28b4aa223df8e2af49292f8d4d
-
SHA512
9ac9a5fc4ca0c87514e22d6fb0676e8d3c9757d23ea26b68ae30ac542b2b0536350ebcf6be9228756b5a748151eed14c15191a24a73d6b52b02181c8560bc9cb
-
SSDEEP
196608:OYSexZiwA6dwpTyUxqZBrSnM77MzyP8hjVVhAOltnZgsm2:vtwvwUMfMzzhhVhAOLnb
Malware Config
Signatures
-
Floxif family
-
Detects Floxif payload 1 IoCs
Processes:
resource yara_rule C:\Program Files\Common Files\System\symsrv.dll floxif -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Program Files\Common Files\System\symsrv.dll acprotect -
Executes dropped EXE 2 IoCs
Processes:
vcredist_x86.exeVCREDI~3.EXEpid process 692 vcredist_x86.exe 3108 VCREDI~3.EXE -
Loads dropped DLL 14 IoCs
Processes:
2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exeMsiExec.exepid process 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 800 MsiExec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
VCREDI~3.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" VCREDI~3.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 47 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exe2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exedescription ioc process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\e: 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
Processes:
resource yara_rule C:\Program Files\Common Files\System\symsrv.dll upx behavioral2/memory/4896-4-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/4896-178-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/4896-198-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/4896-313-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Drops file in Program Files directory 31 IoCs
Processes:
2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exemsiexec.exedescription ioc process File created C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XBasicLib92.dll 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File created C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XHttpLib92.dll 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File created C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\npXPlatformPlugin92.dll 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File created C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XClassLib92.dll 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File opened for modification C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPlatform.exe 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File opened for modification C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPlatformLib92.dll 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File opened for modification C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPlatformAX92.dll 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File created C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File opened for modification C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XClassLib92.dll 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File created C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XMemPoolLib92.dll 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File created C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\npXPLauncherPlugin92.dll 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File created C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPEngineUninstaller.exe 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia80.dll msiexec.exe File created C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\plugin.reg 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File opened for modification C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XBasicLib92.dll 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File created \??\c:\program files\common files\system\symsrv.dll.000 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File opened for modification C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\default.xtheme 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File created C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\default.xtheme 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File opened for modification C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\plugin.reg 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File created C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\OpenSource License.txt 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File created C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPlatform.exe 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File opened for modification C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\npXPlatformPlugin92.dll 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File opened for modification C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File opened for modification C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XHttpLib92.dll 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File opened for modification C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XMemPoolLib92.dll 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File created C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPlatformLib92.dll 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File created C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPlatformAX92.dll 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File created C:\Program Files\Common Files\System\symsrv.dll 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File opened for modification C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\OpenSource License.txt 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File opened for modification C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\npXPLauncherPlugin92.dll 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe File opened for modification C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPEngineUninstaller.exe 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe -
Drops file in Windows directory 60 IoCs
Processes:
msiexec.exevcredist_x86.exedescription ioc process File created C:\Windows\WinSxS\InstallTemp\20241030185118870.0\mfc80ITA.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118870.0\mfc80JPN.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185119026.1\8.0.50727.4053.policy msiexec.exe File created C:\Windows\VCREDI~3.EXE vcredist_x86.exe File opened for modification C:\Windows\VCREDI~3.EXE vcredist_x86.exe File opened for modification C:\Windows\Installer\e57abb1.msi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118667.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118778.0\mfc80u.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118870.0\mfc80KOR.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118870.0\mfc80FRA.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118995.0\8.0.50727.4053.policy msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118778.0\mfcm80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118870.0\mfc80CHS.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118995.0\8.0.50727.4053.cat msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20241030185118667.0 msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20241030185119011.0 msiexec.exe File created C:\Windows\Installer\SourceHash{837b34e3-7c30-493c-8f6a-2b0f04e2912c} msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118870.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118870.0\mfc80CHT.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20241030185118870.0 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118667.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185119011.0\8.0.50727.4053.cat msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20241030185119011.1 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118778.0\mfc80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118979.0\vcomp.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20241030185118995.0 msiexec.exe File created C:\Windows\Installer\e57abb1.msi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118667.0\ATL80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118778.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e.manifest msiexec.exe File created C:\Windows\TMP4351$.TMP vcredist_x86.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118714.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118714.0\msvcr80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118778.0\mfcm80u.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185119011.0\8.0.50727.4053.policy msiexec.exe File created C:\Windows\Installer\e57abb5.msi msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20241030185119026.0 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118714.0\msvcp80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118870.0\mfc80DEU.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185119011.1\8.0.50727.4053.policy msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185119026.0\8.0.50727.4053.cat msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20241030185119026.1 msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118778.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118870.0\mfc80ENU.dll msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIB1AC.tmp msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185119026.1\8.0.50727.4053.cat msiexec.exe File opened for modification C:\Windows\Installer\MSIB7C8.tmp msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118714.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118870.0\mfc80ESP.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118979.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118979.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118714.0\msvcm80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185118870.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185119011.1\8.0.50727.4053.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20241030185119026.0\8.0.50727.4053.policy msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20241030185118714.0 msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20241030185118778.0 msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20241030185118979.0 msiexec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MsiExec.exe2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exevcredist_x86.exeVCREDI~3.EXEmsiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcredist_x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VCREDI~3.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d4141155d34ac580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d4141150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d414115000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d414115000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d41411500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe -
Modifies registry class 64 IoCs
Processes:
2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exemsiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E} 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\Clients = 3a0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92.1 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92.1\ = "XPlatformAXCtrl92 Class" 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\VersionIndependentProgID\ = "XPlatformAX.XPlatformAXCtrl92" 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D639579B-004B-455D-A738-809746AC00F3}\TypeLib 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D639579B-004B-455D-A738-809746AC00F3}\TypeLib\ = "{4CBCE6F5-1E75-4813-897A-432959766B20}" 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92\ = "XPlatformAXCtrl92 Class" 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}\TypeLib 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\TypeLib\ = "{4CBCE6F5-1E75-4813-897A-432959766B20}" 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\ProgID 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.4053",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 3f004f007700390052005a004800670055003f005d004a004b0073002700780077005a0043003200560043005f005200650064006900730074003e005f006a0030002c0059005d007300210053006f00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.4053",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 3f004f007700390052005a004800670055003f005d004a004b0073002700780077005a0043003200560043005f005200650064006900730074003e0061005a004f002c0048002a004b00320060004500650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\InprocServer32\ = "C:\\Program Files (x86)\\TOBESOFT\\XPLATFORM\\9.2\\XPlatformAX92.dll" 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\Control 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}\TypeLib 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D639579B-004B-455D-A738-809746AC00F3} 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.4053",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 3f004f007700390052005a004800670055003f005d004a004b0073002700780077005a0043003200560043005f005200650064006900730074003e00700052005e007000580049006000510075006f00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92.1\CLSID\ = "{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}" 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4CBCE6F5-1E75-4813-897A-432959766B20} 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4CBCE6F5-1E75-4813-897A-432959766B20}\1.0\0\win32\ = "C:\\Program Files (x86)\\TOBESOFT\\XPLATFORM\\9.2\\XPlatformAX92.dll" 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D639579B-004B-455D-A738-809746AC00F3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92\CurVer\ = "XPlatformAX.XPlatformAXCtrl92.1" 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\MiscStatus\ = "0" 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.4053",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 3f004f007700390052005a004800670055003f005d004a004b0073002700780077005a0043003200560043005f005200650064006900730074003e00370030002d0054002400210028002a0026004e00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\AppID = "{A733AAE8-110A-4D4E-BC83-9328FEC01C1B}" 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D639579B-004B-455D-A738-809746AC00F3}\ProxyStubClsid32 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3e43b73803c7c394f8a6b2f0402e19c2 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.4053",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 3f004f007700390052005a004800670055003f005d004a004b0073002700780077005a0043003200560043005f005200650064006900730074003e0036006b007d00700048004c004800240053004400650038004d006b0062004900640046007700550000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\TypeLib 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4CBCE6F5-1E75-4813-897A-432959766B20}\1.0\0\win32 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4CBCE6F5-1E75-4813-897A-432959766B20}\1.0\HELPDIR\ 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92\CLSID\ = "{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}" 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\Programmable 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D639579B-004B-455D-A738-809746AC00F3}\TypeLib\Version = "1.0" 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\Language = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\ToolboxBitmap32 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D639579B-004B-455D-A738-809746AC00F3}\TypeLib\ = "{4CBCE6F5-1E75-4813-897A-432959766B20}" 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}\TypeLib\Version = "1.0" 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D639579B-004B-455D-A738-809746AC00F3}\TypeLib\Version = "1.0" 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92\CurVer 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4CBCE6F5-1E75-4813-897A-432959766B20}\1.0 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}\TypeLib\ = "{4CBCE6F5-1E75-4813-897A-432959766B20}" 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D639579B-004B-455D-A738-809746AC00F3}\ProxyStubClsid32 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3e43b73803c7c394f8a6b2f0402e19c2\Servicing_Key msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\ProductName = "Microsoft Visual C++ 2005 Redistributable" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\Version = "134276921" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\InprocServer32 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4CBCE6F5-1E75-4813-897A-432959766B20}\1.0\FLAGS 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList\PackageName = "vcredist.msi" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exemsiexec.exepid process 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 1384 msiexec.exe 1384 msiexec.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exemsiexec.exemsiexec.exevssvc.exesrtasks.exedescription pid process Token: SeDebugPrivilege 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe Token: SeShutdownPrivilege 2728 msiexec.exe Token: SeIncreaseQuotaPrivilege 2728 msiexec.exe Token: SeSecurityPrivilege 1384 msiexec.exe Token: SeCreateTokenPrivilege 2728 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2728 msiexec.exe Token: SeLockMemoryPrivilege 2728 msiexec.exe Token: SeIncreaseQuotaPrivilege 2728 msiexec.exe Token: SeMachineAccountPrivilege 2728 msiexec.exe Token: SeTcbPrivilege 2728 msiexec.exe Token: SeSecurityPrivilege 2728 msiexec.exe Token: SeTakeOwnershipPrivilege 2728 msiexec.exe Token: SeLoadDriverPrivilege 2728 msiexec.exe Token: SeSystemProfilePrivilege 2728 msiexec.exe Token: SeSystemtimePrivilege 2728 msiexec.exe Token: SeProfSingleProcessPrivilege 2728 msiexec.exe Token: SeIncBasePriorityPrivilege 2728 msiexec.exe Token: SeCreatePagefilePrivilege 2728 msiexec.exe Token: SeCreatePermanentPrivilege 2728 msiexec.exe Token: SeBackupPrivilege 2728 msiexec.exe Token: SeRestorePrivilege 2728 msiexec.exe Token: SeShutdownPrivilege 2728 msiexec.exe Token: SeDebugPrivilege 2728 msiexec.exe Token: SeAuditPrivilege 2728 msiexec.exe Token: SeSystemEnvironmentPrivilege 2728 msiexec.exe Token: SeChangeNotifyPrivilege 2728 msiexec.exe Token: SeRemoteShutdownPrivilege 2728 msiexec.exe Token: SeUndockPrivilege 2728 msiexec.exe Token: SeSyncAgentPrivilege 2728 msiexec.exe Token: SeEnableDelegationPrivilege 2728 msiexec.exe Token: SeManageVolumePrivilege 2728 msiexec.exe Token: SeImpersonatePrivilege 2728 msiexec.exe Token: SeCreateGlobalPrivilege 2728 msiexec.exe Token: SeBackupPrivilege 4392 vssvc.exe Token: SeRestorePrivilege 4392 vssvc.exe Token: SeAuditPrivilege 4392 vssvc.exe Token: SeBackupPrivilege 1384 msiexec.exe Token: SeRestorePrivilege 1384 msiexec.exe Token: SeRestorePrivilege 1384 msiexec.exe Token: SeTakeOwnershipPrivilege 1384 msiexec.exe Token: SeBackupPrivilege 3984 srtasks.exe Token: SeRestorePrivilege 3984 srtasks.exe Token: SeSecurityPrivilege 3984 srtasks.exe Token: SeTakeOwnershipPrivilege 3984 srtasks.exe Token: SeBackupPrivilege 3984 srtasks.exe Token: SeRestorePrivilege 3984 srtasks.exe Token: SeSecurityPrivilege 3984 srtasks.exe Token: SeTakeOwnershipPrivilege 3984 srtasks.exe Token: SeRestorePrivilege 1384 msiexec.exe Token: SeTakeOwnershipPrivilege 1384 msiexec.exe Token: SeRestorePrivilege 1384 msiexec.exe Token: SeTakeOwnershipPrivilege 1384 msiexec.exe Token: SeRestorePrivilege 1384 msiexec.exe Token: SeTakeOwnershipPrivilege 1384 msiexec.exe Token: SeRestorePrivilege 1384 msiexec.exe Token: SeTakeOwnershipPrivilege 1384 msiexec.exe Token: SeRestorePrivilege 1384 msiexec.exe Token: SeTakeOwnershipPrivilege 1384 msiexec.exe Token: SeRestorePrivilege 1384 msiexec.exe Token: SeTakeOwnershipPrivilege 1384 msiexec.exe Token: SeRestorePrivilege 1384 msiexec.exe Token: SeTakeOwnershipPrivilege 1384 msiexec.exe Token: SeRestorePrivilege 1384 msiexec.exe Token: SeTakeOwnershipPrivilege 1384 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2728 msiexec.exe 2728 msiexec.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exepid process 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exevcredist_x86.exeVCREDI~3.EXEmsiexec.exedescription pid process target process PID 4896 wrote to memory of 692 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe vcredist_x86.exe PID 4896 wrote to memory of 692 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe vcredist_x86.exe PID 4896 wrote to memory of 692 4896 2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe vcredist_x86.exe PID 692 wrote to memory of 3108 692 vcredist_x86.exe VCREDI~3.EXE PID 692 wrote to memory of 3108 692 vcredist_x86.exe VCREDI~3.EXE PID 692 wrote to memory of 3108 692 vcredist_x86.exe VCREDI~3.EXE PID 3108 wrote to memory of 2728 3108 VCREDI~3.EXE msiexec.exe PID 3108 wrote to memory of 2728 3108 VCREDI~3.EXE msiexec.exe PID 3108 wrote to memory of 2728 3108 VCREDI~3.EXE msiexec.exe PID 1384 wrote to memory of 3984 1384 msiexec.exe srtasks.exe PID 1384 wrote to memory of 3984 1384 msiexec.exe srtasks.exe PID 1384 wrote to memory of 800 1384 msiexec.exe MsiExec.exe PID 1384 wrote to memory of 800 1384 msiexec.exe MsiExec.exe PID 1384 wrote to memory of 800 1384 msiexec.exe MsiExec.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-30_9b96bb0642e2665096d9f55905456b09_floxif_icedid.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe"C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe" /Q /T:C:\Windows2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\VCREDI~3.EXEC:\Windows\VCREDI~3.EXE3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\msiexec.exemsiexec /i vcredist.msi4⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2728
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:3984 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E72E40889D374BF323E91FBFA06836832⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:800
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4392
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD59704e0dd23269ced2d41aba11fe6721b
SHA13fbc877553a3cf6e4f78a02179533006fc6bbf6b
SHA25667d049fe57e9272d147c2160ead322a808d419d7a88bcf36b4a9bdd972f4b3d3
SHA5128600e0f41119b9d2361edb4b8ac1ad34ba25757ac27aad287bfd354e5e1c7618db697bb2f332b56cce8cf929b28189b7305ca15320049e9520680a543aa2fbf9
-
Filesize
372KB
MD577d1325957482a9c5f198d99604f2b33
SHA1c11a2c8f401939c3103257d44a491fb35616d9b0
SHA25658e03870f4e9cd0837f5cf0c6f7c7620e1153424d8e09ec354486f218873d7aa
SHA512daf95fd69acea9ea59b4bba99ee75034b6c98f2c675e824b19bc605f112009702896ada36ed8cf08001fdf2a5da2d39685c87c79b1394a2dc2ee6e402614a1f0
-
Filesize
145KB
MD5deb8a306a17795cc4e3f7790f8111789
SHA1cb6aa067e0b9d4fa6c8877e3af6425c5379f8cc9
SHA2569dbf1921f5e1e3b6d3b7feeedcd65ef3b4ba307d65af856aaf2eda36196e70bd
SHA5127331d0444631bc02cdda91917e597000f29190fac424e329bb6b55c28394adf6e368b4ec196686b8b3e7b7e157a0dd43210d9d4427980c70c03d6d4eb388c91e
-
Filesize
2KB
MD56275d63f1f06a1704d5b69703d8b70a8
SHA1d05a85e88de488bbf8feb07db106c75ae4180ba2
SHA256d42536e610df4219060da1cafd64ff5c505b71e8055cfc6f00b5028bec9ef56f
SHA5120ced726133cf694e8ffa5cc5b49dfe2dcc0d585e1676b3bc346f6f1432c3359be9cd3846494cb9d7d6cb832887872c30b76db9f82ad55c4694c58ab90cd35f01
-
Filesize
2.6MB
MD56402438591b548121f54b0706a2c6423
SHA1e052789ebad7dc8d6f8505a9295b0576babd125e
SHA256d6832398e3bc9156a660745f427dc1c2392ce4e9a872e04f41f62d0c6bae07a8
SHA512c615e6337a9507bfaaff14e23043e206351d48bf7ba1d0c244c4bc8a08f411b4aa27f9a9074a87b320007b3cfca448306752fd343392bdde83b851b0e7daadef
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
Filesize
175B
MD51130c911bf5db4b8f7cf9b6f4b457623
SHA148e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA51294e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0
-
Filesize
247KB
MD5d5dd8a90812067e0ccb23a7299f82562
SHA15787391891cef8295666bce637d10e992d021d81
SHA25671a4560b0eb5e45c385ce3aef154d97fa944b762f9aff3b3b9364d42bd1d5afd
SHA512d38d3bcb8a640538a3a1b4052727d8d291d8d17218ba1abcaab1dca615bd83d3317a4bed89e495fadfbe6d20791562e5a8032284ae1cfeadc0020337ea0fe673
-
Filesize
2.6MB
MD5f194e681c552647c95441877b5552415
SHA1285c6b1dbbc2d1525c9b1c276a4901b98d49b202
SHA2566d4f42d5856384c2566ed79bdc587993208013640b035b04540de9f05ee597d6
SHA5128ed21ce7829a1cb6c2dd4eff2e3701171aeba5b7e4337eaf0ddff86ea3fda812198a2e3fb4f1873b129944bdc8ddb09ebbd78e5c2b9811900cb853ef2afdab8c
-
Filesize
16KB
MD51887d7610a7a2395eff113688fa2e177
SHA1b71019dae177f9a032641917f9fa2782ae115696
SHA256dee85807bfe229ac3ad8c27ddbd2ccb4e4c300ae32d683a3d13d121f88704285
SHA51222cbc7b0ba6c3a26b6456ed8f69fe99fad4c35f91a912865c63d2695312fd301ab6531ab63a09e05f8ecfd6cbe65cf0e8d0f83107b63213ad08d20dfcf8b037a
-
Filesize
2.2MB
MD5f76671fcdb1fb5b23f8319af2b22d73f
SHA107778071201128d0a46d8202fcdf71312d675e65
SHA2562ef76c6fbd51a52eb0a70daa34d610d09143b0ba4dba0eadd415d9e4b5d5c3b5
SHA512d1d963e4e0151c53ba0ea2bd9551c92ca4668a0a33dbbe3c96d03c04a45d8a8af3c5fa8a3ecc50fd3f31c34d9e540c2b550cc6526e672b3e6281f267cda00264
-
Filesize
472KB
MD58e979523aa4d458beb39db78f1270cdb
SHA1945f937113a99b33650a9c78586af765b94922bc
SHA256946ed4ba39848b2c7f294f4d3ef21dd40380f0009161d588869f34afc83dcf80
SHA51296c38cf3124d6c2aa54f65d0e718bdabb5560e979dce7315fea8534036ce2a4181808e619c92fcec062aacc6a28c3f4053495bad73db4551358049ef2afb13e2
-
Filesize
208KB
MD5d006bfa80449ae174fec8b8cb223985b
SHA1aa94e03c02225559472b629fcc7aa2c24ff2490f
SHA2561f7d4e744b95993f46ccbf0437a757e6369354a3adbe05b787e79e896f6a6e51
SHA512c4a4a6aecc6ae6781ddd5f3e3f94f32edb6a702a2d1e11257216ce0c107aee6113af609560af5eaaa144c2c1ba909478461b0afdf08e020c5e9b6553d6e3f2ac
-
Filesize
24KB
MD5c34935d3cc577b6eaa8ad5961f90a184
SHA174767ca06b239146552eeabb627ee73a6d32b524
SHA256218c27dc154e846955ecff1ccde278e154dc80eb91867c66c971dd9acf150556
SHA512fdcea36bc99787803f1ef9bdf3780e0108c25ba67ffbbabde1063b8cc7cb43eb9cace4f8c211368341874ce68432005ea85ba5504a37b6f526869e115e9bbf9d
-
Filesize
394KB
MD5adaf8badbf89a6e919fed937427271d2
SHA13504185a4e0d056173feea6a74f3fc0ac567b453
SHA2563b208a470b78b837a887b39654ab18d9ae4dce9834cd743e1420df831b5dcdc3
SHA512ab1f24223283dc09eb51cb6cbc9418e1c9c44de7a821c71af55f59012756118880a31a829c796eb0be29850e41fb4b4a452a66e43b0e489e7e0b1138517f7a1b
-
Filesize
162KB
MD5687e40cfb833fc88845bf11f7e544ab0
SHA164df118cc52cdd5a41f3a50f033f93b509e2c514
SHA256d85d34e4b463c49c85df6c726fd23baa9c1d4e67c0b23645e5ec2a549833df4e
SHA512393419f8084ed03391817db45944d85b7fde3e6b6a113e45c38d84e4cb2d410314e6a8120abc5a0931ad18ff14e8960d49446ea3637d49c93afdd6f2338e4d10
-
Filesize
4.2MB
MD5b79fcb87619c8b3a1451f5692213a252
SHA135d29f60cde4448b4be98b4ca601c1d6d7609270
SHA25678fe137cc376e5095d895eb5414def086f04fe9519eb2ae82e1add2bfe31b200
SHA512b25b8daadc559d0421e4cc00d2a56236a143770f72074cf609d57c31f738f055bf997b9480376d08bc817f83b283f3e73d5a39c104e5a19590683cea0342819a
-
Filesize
640KB
MD599e4e9f6840d502cb5fbfd33d1d953c5
SHA18263689eee68476caba614fefa21f72faa0267cd
SHA25659e49ff3a8c74a44f164bd1191d0f6a7333a0b937b48a8c4d8a79424b2bb68f1
SHA51205ae5336566e9efd0745e7c7ca728e18c54691bba994ed5bb591fe6ae37331103780e2d5db5a9be9bca4aafff775a9c1f3714aa53ad3c1603e30453837ee5caf
-
Filesize
88KB
MD54b5dd947944cd975bd7d54cadf742f04
SHA11a74304bcae004ad7feb7d7b5c3e12b0e6166246
SHA256bf53afbb278f98e8c4c67504dfa4d37350e15d7851981c0d5741afdecd6bf8be
SHA5124a52d648fbb2e71289d3a0ad4325569620de6adbc520e44889ecb270fa76872fec6efa88094ba7d25326d308f5b0c39daf20f0c0f160f4cc9026896915b038a4
-
Filesize
28KB
MD585221b3bcba8dbe4b4a46581aa49f760
SHA1746645c92594bfc739f77812d67cfd85f4b92474
SHA256f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f
SHA512060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d
-
Filesize
2.6MB
MD5c5c698758bd9da02cc2ef94dcf1b4637
SHA11d6773537b0baba779090c7fa29be43d2130c3dd
SHA256e1df4fda1f4f6a5d9faa94cc53e77458a53c56a87df4f1062708095150c86dbf
SHA512c238860204de3933c7c41ba5f621f957d602286fa3a19a1bf4b6b272d8b417a20f5351ccf6ae5b46dde6ae938c7158e0f11d610e7a76a3530ba6825a96c9196b
-
Filesize
24.1MB
MD570cfa62ff21c81875fb214ff8feb0441
SHA15085a76e229bf0debf51325d1c350c98dbfec59c
SHA2566a1908e77712ce5cbcdfa9e65454a85c1da85bd954965bdcdd48eb4a0e54f186
SHA512c76954bb294be81ae5fb902893c3889c501456606573b4650ad39cde44e4b5abedd9753d3a11d300b582cac17b6e591b1296b6eac2b5abf5dbc7b1c94ee11db2
-
\??\Volume{1541411d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8abb8e7b-e227-43fb-b441-d6c09673f301}_OnDiskSnapshotProp
Filesize6KB
MD54699a72dbb271b4c8a2187475607b2f5
SHA1e15fe0d75e953fa11e99de9b8a748a3eeaca4cad
SHA2565af0e811529a140b835e4c18cf28ec02064a44b1388d51ebb75d970cf0b5fcb6
SHA512f4e5a697ef5144dc75e4489386479676c1ec37ab24c63e2c8759f16a1198e0ca231050a19b05b8cff86bd8ce122ab18bb1df584a9a913f9c193a8ceb348a1a19