Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 14:58
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe
Resource
win7-20240903-en
General
-
Target
2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe
-
Size
16.5MB
-
MD5
c419a52486f6aa8865475f957f08dfdf
-
SHA1
0b969f439e2fab419c83bf88283f72de3b606aa6
-
SHA256
1990c98db7683ac36db52a8abf09d2973cd699e2428f1a84d5a85dce8911c14f
-
SHA512
90509cd7ca6050a78837f897f3eac52b964c1d4c19c4fa838dc862ce281167f1cbfa80f6175772ad5db85095a84131628b97a3b7db9c34df6b3f9701c6d6253a
-
SSDEEP
393216:XYAmqTvT63Sx0rPZhIxdWySdXlcmZ/4FBilYw9/4uQT2WgvqWPQ:dx63S6PZOxdWySQK/llYw9QuQT2JSWI
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 4 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0007000000023cd2-189.dat acprotect behavioral2/files/0x0007000000023cd1-203.dat acprotect behavioral2/files/0x0007000000023cec-208.dat acprotect behavioral2/files/0x0007000000023cce-316.dat acprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData SRManagerSOS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB SRManagerSOS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft SRManagerSOS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content SRManagerSOS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB SRManagerSOS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 SRManagerSOS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 SRManagerSOS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 SRManagerSOS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 SRManagerSOS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache SRManagerSOS.exe -
resource yara_rule behavioral2/files/0x0007000000023cd2-189.dat upx behavioral2/files/0x0007000000023cd1-203.dat upx behavioral2/files/0x0007000000023cec-208.dat upx behavioral2/memory/3200-209-0x00000000726A0000-0x000000007279D000-memory.dmp upx behavioral2/memory/3200-217-0x0000000072180000-0x0000000072544000-memory.dmp upx behavioral2/memory/3200-211-0x0000000072550000-0x000000007266C000-memory.dmp upx behavioral2/memory/3200-307-0x00000000726A0000-0x000000007279D000-memory.dmp upx behavioral2/memory/3200-310-0x0000000072550000-0x000000007266C000-memory.dmp upx behavioral2/memory/3200-313-0x0000000072180000-0x0000000072544000-memory.dmp upx behavioral2/files/0x0007000000023cce-316.dat upx behavioral2/memory/3200-317-0x00000000712B0000-0x0000000071474000-memory.dmp upx behavioral2/memory/3204-318-0x00000000726A0000-0x000000007279D000-memory.dmp upx behavioral2/memory/3200-321-0x0000000072180000-0x0000000072544000-memory.dmp upx behavioral2/memory/3204-323-0x0000000072550000-0x000000007266C000-memory.dmp upx behavioral2/memory/3200-322-0x00000000712B0000-0x0000000071474000-memory.dmp upx behavioral2/memory/3200-320-0x0000000072550000-0x000000007266C000-memory.dmp upx behavioral2/memory/3200-319-0x00000000726A0000-0x000000007279D000-memory.dmp upx behavioral2/memory/3204-330-0x0000000072180000-0x0000000072544000-memory.dmp upx behavioral2/memory/3204-332-0x0000000072550000-0x000000007266C000-memory.dmp upx behavioral2/memory/3204-333-0x0000000072180000-0x0000000072544000-memory.dmp upx behavioral2/memory/3204-331-0x00000000726A0000-0x000000007279D000-memory.dmp upx behavioral2/memory/3200-367-0x00000000726A0000-0x000000007279D000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe -
Executes dropped EXE 7 IoCs
pid Process 804 Launcher.exe 3200 SRManagerSOS.exe 3764 SRServerSOS.exe 3204 SRAgentSOS.exe 4224 SRAppPBSOS.exe 4620 SRFeatureSOS.exe 2044 SRUtilitySOS.exe -
Loads dropped DLL 13 IoCs
pid Process 3200 SRManagerSOS.exe 3200 SRManagerSOS.exe 3200 SRManagerSOS.exe 3200 SRManagerSOS.exe 3764 SRServerSOS.exe 3204 SRAgentSOS.exe 3204 SRAgentSOS.exe 3204 SRAgentSOS.exe 3204 SRAgentSOS.exe 4620 SRFeatureSOS.exe 4620 SRFeatureSOS.exe 4620 SRFeatureSOS.exe 3200 SRManagerSOS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Launcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRManagerSOS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRAppPBSOS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRFeatureSOS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRUtilitySOS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRAgentSOS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRServerSOS.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID SRAgentSOS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SRAgentSOS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc SRAgentSOS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 SRAgentSOS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 SRAgentSOS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg SRAgentSOS.exe -
Modifies data under HKEY_USERS 48 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion SRManagerSOS.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2452 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 3200 SRManagerSOS.exe 3200 SRManagerSOS.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 3200 SRManagerSOS.exe 3200 SRManagerSOS.exe 3200 SRManagerSOS.exe 3200 SRManagerSOS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 3204 SRAgentSOS.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 3764 SRServerSOS.exe 3764 SRServerSOS.exe 4224 SRAppPBSOS.exe 4224 SRAppPBSOS.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 1600 wrote to memory of 1992 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 85 PID 1600 wrote to memory of 1992 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 85 PID 1992 wrote to memory of 2252 1992 cmd.exe 87 PID 1992 wrote to memory of 2252 1992 cmd.exe 87 PID 1600 wrote to memory of 4444 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 89 PID 1600 wrote to memory of 4444 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 89 PID 4444 wrote to memory of 2452 4444 cmd.exe 91 PID 4444 wrote to memory of 2452 4444 cmd.exe 91 PID 1600 wrote to memory of 744 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 94 PID 1600 wrote to memory of 744 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 94 PID 744 wrote to memory of 1116 744 cmd.exe 96 PID 744 wrote to memory of 1116 744 cmd.exe 96 PID 1600 wrote to memory of 1508 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 97 PID 1600 wrote to memory of 1508 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 97 PID 1508 wrote to memory of 1776 1508 cmd.exe 99 PID 1508 wrote to memory of 1776 1508 cmd.exe 99 PID 1600 wrote to memory of 3636 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 102 PID 1600 wrote to memory of 3636 1600 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe 102 PID 804 wrote to memory of 3200 804 Launcher.exe 104 PID 804 wrote to memory of 3200 804 Launcher.exe 104 PID 804 wrote to memory of 3200 804 Launcher.exe 104 PID 3636 wrote to memory of 2764 3636 cmd.exe 105 PID 3636 wrote to memory of 2764 3636 cmd.exe 105 PID 3200 wrote to memory of 3764 3200 SRManagerSOS.exe 108 PID 3200 wrote to memory of 3764 3200 SRManagerSOS.exe 108 PID 3200 wrote to memory of 3764 3200 SRManagerSOS.exe 108 PID 3200 wrote to memory of 3204 3200 SRManagerSOS.exe 109 PID 3200 wrote to memory of 3204 3200 SRManagerSOS.exe 109 PID 3200 wrote to memory of 3204 3200 SRManagerSOS.exe 109 PID 3200 wrote to memory of 4224 3200 SRManagerSOS.exe 110 PID 3200 wrote to memory of 4224 3200 SRManagerSOS.exe 110 PID 3200 wrote to memory of 4224 3200 SRManagerSOS.exe 110 PID 3200 wrote to memory of 4620 3200 SRManagerSOS.exe 111 PID 3200 wrote to memory of 4620 3200 SRManagerSOS.exe 111 PID 3200 wrote to memory of 4620 3200 SRManagerSOS.exe 111 PID 4620 wrote to memory of 2044 4620 SRFeatureSOS.exe 112 PID 4620 wrote to memory of 2044 4620 SRFeatureSOS.exe 112 PID 4620 wrote to memory of 2044 4620 SRFeatureSOS.exe 112 PID 3204 wrote to memory of 968 3204 SRAgentSOS.exe 115 PID 3204 wrote to memory of 968 3204 SRAgentSOS.exe 115 PID 3204 wrote to memory of 968 3204 SRAgentSOS.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c C:\Windows\system32\expand.exe *.cab /f:* .\2⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\system32\expand.exeC:\Windows\system32\expand.exe *.cab /f:* .\3⤵
- Drops file in Windows directory
PID:2252
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS12⤵
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\system32\schtasks.exeschtasks /create /xml ASOS.xml /ru "system" /tn ASOS13⤵
- Scheduled Task/Job: Scheduled Task
PID:2452
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "2⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\system32\schtasks.exeschtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "3⤵PID:1116
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS12⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\system32\schtasks.exeschtasks /run /tn ASOS13⤵PID:1776
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS12⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn ASOS13⤵PID:2764
-
-
-
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exeC:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe SRManagerSOS.exe 11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe"SRManagerSOS.exe"2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exeSRServerSOS.exe -s3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3764
-
-
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\Temp\bd2_request_43b3c272f5b5d66.bat4⤵
- System Location Discovery: System Language Discovery
PID:968
-
-
-
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4224
-
-
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exeSRUtilitySOS.exe -r4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2044
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
433B
MD5bb3b81e1f94858ecaed8c3425f0024ce
SHA1932e55fbd8188f6ba5ff51f6a9190136317cc74b
SHA256ad025a1f333ae2ba6d6fd9e7b656c55631d1b589db08aaf00ce577711e18befe
SHA512c62e55d72ef8b5fe7bec7c5caec56b0ee7131598bd747a232e66bee02315851fe2560597a8df58d2cc41aa709111b11a88fa592089cfb3561f586f2dbf13feb1
-
Filesize
5KB
MD5c64addf3cffec7aea5a02a192c74bfb5
SHA1f601f64d9d323de64394e30aed26223c836a6a15
SHA2568d0e9f04ca0dcbc18bfac6874f0c6c6a250782956d144118d23721dc2304c67e
SHA512b1799a0f6b7e420fdcef916efd2c1ac2a9e3aef95342d1b62256205623cd6f2fa46ccec2aa14dc35e056786be584a56688290db62cc097f61b1463f3dc2222bd
-
Filesize
398B
MD5f0f79dfa81a3e3c0730acf0be18e2865
SHA12766a217ae26654c53f4293118751a57b0a42bcf
SHA25673d7a697a3af00a80bba5fe9688576aa027b09d0983e719965bedc26d73ede3f
SHA5126707cb4fc28d49d910afe342790a3513142036b104794a096646ab546fc3ee50db5e428a68336eca770e0d56f0c9ae36c1cc238be2c64644ae9a283a2260a5d5
-
Filesize
256B
MD56d69724c8b19608f6a0083148a38b927
SHA17ebb8c53a041bfc8218f6b7f280d256faedccb8c
SHA256effe5a095601f94c953c0067b153865eca17385d5776ed6d5fa4e5410c3de925
SHA512b3c12d61b3e31793e870aed0e1f7bb5e76bba752bda412b748e8941a8508995bbcd6fde3071d6be6789d1631eae38cace6bfa1bef069e296a0f45b7f4215a0fc
-
Filesize
425B
MD59537e9d6415fe3cb654382e5533b5833
SHA19523175453b9d5bbcf2aa282651e6011d14f98ad
SHA256186e70ecc6fc69c48e5df8ea9dfc217562189d775aee1fdacba2067541fb34a6
SHA5120c6b41b2a3296af02a46460fa93d4b9a27588e2d39ed65bde287583da10d19a7664c434653f4a25bf9fe16c4bed82dffc8d265831c90d5923128a9cf229846e2
-
Filesize
149B
MD5f2d5f8a01c7832e4f60c8a1579a5691f
SHA19a9afe6c424a888f798c3c879d64a9e30b6e981e
SHA2564712961ec08d9130d2296172ff2da6186b480bedc9ebcb70800cf7153fe31690
SHA51292a6700668c4811f7e85a532c9dbceb905f87b0841915d6fd1171f5ede9d8390f036958e218dc04ac78d4443e323c1813cd730e0608a6a26cfa4ed8ac798b7a7
-
Filesize
51KB
MD571559662e8112dd44f31670600b5fb15
SHA1b627f31641e1c7fb40d164f94b8e364f03648922
SHA2564e5e616946bdbdb5a4c26ff1a75f665f9d6e69c6421cb1e2933f32628ecbd09e
SHA5129aacc46d8ee927b56cfd0c8f9b9328df1f163ead52e52bdbd3deae1ce994e8c77dc0a4fe9defc45cee93a25bb07193873b9e9580ee2adcca20a86b91c5b32574
-
Filesize
2KB
MD58ce869f7dbbb2e38c8de76716e49b8a5
SHA1de73a6b80fca67b06a7e1fec1904095d61b7b864
SHA2561008bce6f93a3863164b0fea34bea07bd6ce304dffafac5615dc52bbb675bd47
SHA51298afa1fe513beb31bca44e56fe40f0a049d3bb0ccc7cf4997b8fb2631774131c7232072e733674a3ed6771201d53788e94d595e8254a5ffc4d6cc45ff93417af
-
Filesize
184KB
MD511bab8f4bc4d4866478d292f86d87d90
SHA12a64756a78c369bafae006bac8e4748d3fbeff9d
SHA256543be8a168f0e74bc57cfbb4da66966ef195a40b642f9d09b4ddb19e57c18724
SHA512fde665f35b2a3a7b7bf217f8930aadee7583ec7e94b03c59a6ea282f4009c4cc1508380071c95b3742bddd5c8f2589a776d75d3c6bc14a2dbf64e8bcee1e81ef
-
Filesize
1.9MB
MD5bec6156158a67602b09cf0da73030c97
SHA17d3b3f04b1b0687c2f57b4eef16025e5b510078a
SHA256915ab66486ebc2d53e00fb67009e9075f5f38362ec9991dea0edd22e1f376b85
SHA51283a9db2a90bf15fbfaa11fa22ca360645b0dc75dfd6ec78cd8e92d1545b25661338d748b2bc135382e46ce14825e4c1e93ac08f5f9d7c357ff60fe1748f06a3d
-
Filesize
2.7MB
MD5a490f9458c33bd398784f2a279191fe5
SHA175608efd13ec19a2bd9adaf4a3c213fe8b56b58c
SHA256a4291f8933c7c7f86f41b6d8c55b38b32d423ca2de2fd849bfb34cfaa3a423c9
SHA5127fe5000e801e23d7f606b44e630069b3b1da3610b7f24710dfc45692d5c1f630cae0008ce7ec64f943725a33a290fd22621dec7ff0b22496a7a8a79f95777f3d
-
Filesize
5KB
MD5a8b2b3d6c831f120ce624cff48156558
SHA1202db3bd86f48c2a8779d079716b8cc5363edece
SHA25633fe8889070b91c3c2e234db8494fcc174ecc69cfff3d0bc4f6a59b39c500484
SHA5123b1fc8910b462ea2e3080418428795ca63075163e1e42a7136fa688aa2e130f5d3088ab27d18395c8c0a4d76bdc5ed95356255b8c29d49116e4743d269c97bf9
-
Filesize
4.6MB
MD55d4047d09fa30aafc2ee265afcfdacc4
SHA147caafb8d67d97b0347cca98e8763349485b5e77
SHA256ac54dccb48af54e59a10dbc4b58963100968cf578c19863a0370b377386ec5d5
SHA5120d1d9048691d249e6ebaf6ae5fa6016022b79b7be6bdd9232613e3ba7e85fd5132e6c01fc8b07171d38a0122ac7d8c584ee5e35eddf0632cb3bfc22b05821737
-
Filesize
1.8MB
MD56bbf902fcba6e17773232805831e9b73
SHA109f23cb4861a07541eb0e57ddd67462ea3697d5c
SHA256ba7ee39b274953a47678cc1c5bf7d0c82f4fdba483a760ede46be9c27f91c4d7
SHA5125c86b9f22bc61c078b219c7463b0dd8ddc39e40dffa620b08b6eca2c2d28b18446c06074ae1260baa2cd0c07c4a08135590b7f722a24a360a8ffa712187d707e
-
Filesize
5.1MB
MD5393830c320fccbced08ed693bdec80f0
SHA11fc1d88d4db881af32540926b1ac901af72d9ff7
SHA2566fd3f1370638043928215e1dfd6e29c0bbc250188001c2e356f708c147c11359
SHA5128cd4f8af20b6a35e60e6522971e1e2ed2a4cdbe26215051758e690291d077fcc8c3e2d407878280fe4858e69daad4088381f573a8058754bf3f0bb44f2e64389
-
Filesize
394KB
MD54c534eb38f42bc64f08c33182156d8a1
SHA1eebd8f8c323e50945a273f1c197e91a9be17bbaf
SHA2567fa2aa9e466e2f3b884d11984e3d68750cbcddb033f02f8aac4aeef1ee02faa1
SHA51297d5182bb70e21c5c6e2d43aa62fca5a171aed3d3ac97a623a6fc187590ce3595ddbbf8b82b969be86ea0fed22c5447819a0f72b1304aef1560bdfd5f0054e98
-
Filesize
156KB
MD54a3e37f3189e286732c097625f66cbeb
SHA107443d2e446696ea3d454fb511785c54f1b9d692
SHA2569d5ad887858f91b394267a193caefdd0b2247b510ce684028d5abde1c2ab0610
SHA5125fb1d9467688cea1024e45d2e9bf25b5bd2b272d7471077a849499ef4da5d03de720b64fc111c87b913e85a9c37882ec01e3af2fe71280d75a353f76ebad8160
-
Filesize
548KB
MD5a9a9d31764b50858a01b1fb228406f06
SHA17a313c46f049287045992f54f9d6eda9db568ef8
SHA256c0babd7670124bb298d3ba6a8ee5ae33ad1030c08a18d8b8861f5d83003eb645
SHA512164d5497aa91a5b4742a291f589400bc0b189af946615a2f04e6cfd1ed598a542f7521e4dd79aab99414846a3c391255309f911c247ef446a0483d9fab6efdfc
-
Filesize
80KB
MD564f7dd1022edefb36991bae0ccd8d2c5
SHA14f4a801372b0f90edd2e147a45cb1a328cce01b3
SHA25668cf4808ac92b3a857a1a6b9cd0137b4e44fa8ae19d81e111aa2d2e7174ac554
SHA512580ad3a55edbc3ce65b4c62e83c1bb78e7523f4ea2dcde952a7b5c8bd933cbbc662e396c7f38c37b9958df0eb19326defd9ed9f1183b8ac693aaf4e5b18b4178
-
Filesize
1.0MB
MD5eeda10135ede6edb5c85df3bd878e557
SHA18a1059dfd641269945e7a2710b684881bb63e8d2
SHA2564b890de3708716d81c1c719b498734339d417e8ffc4955d81483d1ebc0f84697
SHA512a56bfc73537e36efba8e09ffd0b2f6bfc56bc4cb4fe90b52858c7afd5d67db23ccba51c8097befe4ecb5082ba66c2b2612e2975ef3448252c48b97f41d12d591
-
Filesize
1KB
MD5c95fa1029e39dd12d24dddc07d24b694
SHA1a813cc60c0d821219bd7301ab7557e7fc3328999
SHA256664042ed1d06746971e0f05c440a094d0e5ef7e6d54845b4501768a06e60e2a0
SHA51208343d820a66bc5b945090c6fb1ab3b70975ac6c2b2551c3c83925e51f56958f81b14f6f19cc8b6fed55eeb0316b47094da33378ba24adabbfd33e38098e01eb
-
Filesize
592B
MD5e077993e994d28bbc7502681280c5551
SHA19c3b360f9e81ccf8c8b56be25e4ce9d67d1f61b4
SHA256b8d539255fb1ea42ee3b06f0e314b037e35701e2b258272889d866dd3419526b
SHA512b2fed3539bd94999f9f9a2cfebac6a3632212c10f3d97a5129e444fc548d1685877d0810790b71d342a4ef9080d1efc73bf7a9493b5ccbd93232231ee2251abe
-
Filesize
681KB
MD568d8d459ee6a5027ffe35302b21d66fa
SHA191299e1ff75b293a18105fbdfcb2cde92a6c8507
SHA2560ef5739fcc3850411e1db6af2e194e25c7e473bb950a387a7c851fe02660b4e8
SHA512c032e6c057da58374ff51b50b2146e4b27eb6a18a452668eb2c78e3f4e729399f303873a2dc40f5910826a4f23146dfb851b62df3d5948a9039ec6ed23e53b32
-
Filesize
1.3MB
MD572d867e8c7a84374aa72bf7feca4334e
SHA1bbe4c42beb19a1f23bfbcfc5a67164d5ea29784e
SHA25617d29b81faea714b5a93008711d92d1329b22244a2e9f56736064caa4fd3cd84
SHA512b523df6ffe4a51180cdf2bda761b01a521391a6b24e081309c33c91835c19be96015b932d527822f5837802a979a3c48f5cc111892c47c082e8bcb8f2115ac3f
-
Filesize
333KB
MD599a6a9656da926af8aa648d50b47dcfb
SHA181db96003bd8f63250abc7e59fb35e0227d3f28a
SHA256fdf1f9d0af4ff8e5cbd4387d6849327e91f0eedd1befe58d7dd8b6ec40e90a98
SHA51216e850fdabf76a11ed4176e0fd57dafb64faf9551ea220d003c5a86aff8c39ab40d66f7ac7fcc6ef71cfa7e1d6268bbc23e32aa5cf69df58a5d05f666701f3c0
-
Filesize
17KB
MD52dac6568b843ebdc5c98598ca32918be
SHA1e7740e4be7f71a82adbb6e5224d33534e237614c
SHA256eb61a0e06bf8c69597f9bb1909e3eb4f926e49800c3f9721fda3007993da5ee7
SHA5121bc8aa82e68911f5ee1835d19cf49a736c1c35c2f6b4fcd48c3c6fcf7ff6958400d1e815c5e891e172af9035232175bb00e8a21f5a0590f02dc683f45a6c3d8b
-
Filesize
19KB
MD51d56a3f8d7f5dab184a8cc4feddaa173
SHA175d291cb96fdc05d54c962f1cb08796ee439b22f
SHA25684e1a32b4975e92477cf6a36d8931921da735ef988e0c09a2b056f2904541b1e
SHA512fb58167a98d9309a703f06d5c6414ab707b37e90a26bfc1c0812b10381c116fa6c7c26ac30fc8570b8f87186775bc64e7af6d409a7d213fc3b4b76b0b7a76fb6
-
Filesize
16.0MB
MD5694108221033253d3fe1ec0d42708b35
SHA1875f186db147a342e2326489fef105737f726046
SHA25650f163445bd8465bfda6075a25b4204dab3b04025b351f98aff3d1354f889c62
SHA51220046e6e3bbb9ec39dc1e9aed6fee483119b6154881ef6c9d33b8132548e3d6e2d4a870547d3159688902d654f3c594de170aaefdafb723edc28989358ca8a47
-
Filesize
190KB
MD54a2f597c15ad595cfd83f8a34a0ab07a
SHA17f6481be6ddd959adde53251fa7e9283a01f0962
SHA2565e756f0f1164b7519d2269aa85e43b435b5c7b92e65ed84e6051e75502f31804
SHA5120e868ad546a6081de76b4a5cdcc7d457b2f0fb7239dc676c17c46a988a02696b12a9c3a85f627c76e6524f9a3ed25f2d9b8e8764d7e18fc708ead4475591946f
-
Filesize
161B
MD54a3fe2d6413f690dce1800b9b77a1c04
SHA183c5daf2d94aa22685dc32c92f72d457eb4da952
SHA256de5cb61f8cc7c99fb9aa4892e28254b8bbe02c9aaede4e0347f4acb0da07213c
SHA512ba94ec71edf27cf67b29e94c750e5e796c43c3655b58e224a71b7874c5237acf19a6f3a8492496475a6658e97ed219fdfba53af869443a0f502dc9c89bdbdd94