Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-12-2024 14:50
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe
Resource
win7-20240903-en
General
-
Target
2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe
-
Size
3.0MB
-
MD5
7e6bbbe6f0d2afbcdab740efe8b1db6f
-
SHA1
c3b6d18fe165dabf9b63ea394fcfe2c4cdaa8e7c
-
SHA256
a44848c7375696bfbeedcc854d522757b99432d73d3e5d17d4e3a4c7525a89d2
-
SHA512
78f5a011d40aed230af7d38979ddf9184bcb2d81e9da99a21e16b8b923e5405fcfcf7b90be442f72a90d083a555972db1bf3fafc1fda13af20159b953cc55010
-
SSDEEP
98304:BGdVyVT9nOgmhvnG/wNbTC+vipJ2bsQ+VnG/ws:+WT9nO71+wF/ilQ+V+ws
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2552-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2552-12-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2552-8-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2068-26-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1168-30-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1168-29-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1168-32-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1168-38-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1168-39-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 10 IoCs
resource yara_rule behavioral1/memory/2552-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2552-12-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2552-8-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2068-26-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1168-30-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1168-29-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/files/0x0008000000015d75-34.dat family_gh0strat behavioral1/memory/1168-32-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1168-38-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1168-39-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259438351.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
A potential corporate email address has been identified in the URL: icon-macOS@2x_ebb427cc.png
-
A potential corporate email address has been identified in the URL: icon_hover_macOS@2x_bf56032.png
-
A potential corporate email address has been identified in the URL: icon_hover_windows@2x_1ab1eec.png
-
A potential corporate email address has been identified in the URL: icon_normal_Android@2x_fd21f9a9.png
-
A potential corporate email address has been identified in the URL: icon_normal_Apple@2x_ec4d2a17.png
-
A potential corporate email address has been identified in the URL: icon_normal_DECK@2x_8559407c.png
-
A potential corporate email address has been identified in the URL: icon_normal_Pico@2x_e278ad60.png
-
A potential corporate email address has been identified in the URL: icon_normal_Playstation@2x_e5ad2adf.png
-
A potential corporate email address has been identified in the URL: icon_normal_Quest@2x_fa9f1659.png
-
A potential corporate email address has been identified in the URL: icon_normal_Switch@2x_d6d51ce7.png
-
A potential corporate email address has been identified in the URL: icon_normal_Xbox@2x_d6501e3f.png
-
A potential corporate email address has been identified in the URL: icon_normal_macOS@2x_23018f4c.png
-
A potential corporate email address has been identified in the URL: icon_normal_next@2x_8f139c4f.png
-
A potential corporate email address has been identified in the URL: icon_normal_windows@2x_27887efc.png
-
A potential corporate email address has been identified in the URL: icon_support_console@2x_ddad8f37.png
-
A potential corporate email address has been identified in the URL: icon_support_mobile@2x_f10457d6.png
-
Executes dropped EXE 6 IoCs
pid Process 2552 svchost.exe 2068 TXPlatforn.exe 1168 TXPlatforn.exe 2248 svchos.exe 2936 HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 884 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Loads dropped DLL 8 IoCs
pid Process 328 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 2068 TXPlatforn.exe 328 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 2248 svchos.exe 2736 svchost.exe 328 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 2736 svchost.exe 884 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File created C:\Windows\SysWOW64\259438351.txt svchos.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe -
resource yara_rule behavioral1/memory/2552-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2552-12-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2552-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2552-8-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2068-26-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1168-27-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1168-30-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1168-29-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1168-32-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1168-38-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1168-39-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TXPlatforn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2132 cmd.exe 2820 PING.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\163.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "47" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439572087" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\163.com\Total = "77" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\uu.163.com\ = "47" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "77" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\163.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\163.com\Total = "29" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\uu.163.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\uu.163.com\ = "77" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3F5DA741-B318-11EF-A0C3-D60C98DC526F} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "29" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\uu.163.com\ = "29" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\163.com\Total = "47" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2820 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 328 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1168 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2552 svchost.exe Token: SeLoadDriverPrivilege 1168 TXPlatforn.exe Token: 33 1168 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 1168 TXPlatforn.exe Token: 33 1168 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 1168 TXPlatforn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 852 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 328 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 328 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 852 iexplore.exe 852 iexplore.exe 840 IEXPLORE.EXE 840 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 328 wrote to memory of 2552 328 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 30 PID 328 wrote to memory of 2552 328 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 30 PID 328 wrote to memory of 2552 328 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 30 PID 328 wrote to memory of 2552 328 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 30 PID 328 wrote to memory of 2552 328 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 30 PID 328 wrote to memory of 2552 328 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 30 PID 328 wrote to memory of 2552 328 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 30 PID 2552 wrote to memory of 2132 2552 svchost.exe 32 PID 2552 wrote to memory of 2132 2552 svchost.exe 32 PID 2552 wrote to memory of 2132 2552 svchost.exe 32 PID 2552 wrote to memory of 2132 2552 svchost.exe 32 PID 2068 wrote to memory of 1168 2068 TXPlatforn.exe 33 PID 2068 wrote to memory of 1168 2068 TXPlatforn.exe 33 PID 2068 wrote to memory of 1168 2068 TXPlatforn.exe 33 PID 2068 wrote to memory of 1168 2068 TXPlatforn.exe 33 PID 2068 wrote to memory of 1168 2068 TXPlatforn.exe 33 PID 2068 wrote to memory of 1168 2068 TXPlatforn.exe 33 PID 2068 wrote to memory of 1168 2068 TXPlatforn.exe 33 PID 328 wrote to memory of 2248 328 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 34 PID 328 wrote to memory of 2248 328 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 34 PID 328 wrote to memory of 2248 328 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 34 PID 328 wrote to memory of 2248 328 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 34 PID 2132 wrote to memory of 2820 2132 cmd.exe 36 PID 2132 wrote to memory of 2820 2132 cmd.exe 36 PID 2132 wrote to memory of 2820 2132 cmd.exe 36 PID 2132 wrote to memory of 2820 2132 cmd.exe 36 PID 328 wrote to memory of 2936 328 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 39 PID 328 wrote to memory of 2936 328 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 39 PID 328 wrote to memory of 2936 328 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 39 PID 328 wrote to memory of 2936 328 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 39 PID 2736 wrote to memory of 884 2736 svchost.exe 41 PID 2736 wrote to memory of 884 2736 svchost.exe 41 PID 2736 wrote to memory of 884 2736 svchost.exe 41 PID 2736 wrote to memory of 884 2736 svchost.exe 41 PID 2936 wrote to memory of 852 2936 HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 43 PID 2936 wrote to memory of 852 2936 HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 43 PID 2936 wrote to memory of 852 2936 HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 43 PID 2936 wrote to memory of 852 2936 HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 43 PID 852 wrote to memory of 840 852 iexplore.exe 44 PID 852 wrote to memory of 840 852 iexplore.exe 44 PID 852 wrote to memory of 840 852 iexplore.exe 44 PID 852 wrote to memory of 840 852 iexplore.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2820
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2248
-
-
C:\Users\Admin\AppData\Local\Temp\HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exeC:\Users\Admin\AppData\Local\Temp\HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://uu.163.com/3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:852 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:840
-
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:2864
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259438351.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:884
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_F7F9B7BDCC367A8E3539D28F7D4D4BA2
Filesize471B
MD518790122fbb0d0fbf7be7f1ca0eea997
SHA1d43a3899aa88c5bf06b8a395b6b8822034101dfa
SHA256ea049fcf78c067328289fc48dfb59e192c42a8ed37a8d583a20436f73a6c904f
SHA5129f754b928fc2cc9d4b101b40ad4e30663b6f1a30a96de9d225167508d65e7340f3c4b8d7af73d93211d311e28fd89cdeaf2e3fd9dcb8282285637f763eb230e4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7229E30BCFD0992128433D951137A421_E05AAD24A1760FF49820D23FF9F19F45
Filesize471B
MD5a01404c7d7cee4b4fc47d1a2c88dbcd7
SHA1f30492b74e47a52b05a1b6a1c86d59da71e7115b
SHA2562ac13cf30801a4ae9801d3046ca8acb8e441baa0e1a1683d4aa1cd7f52fb449e
SHA512aececfe6c6628b64bb7f486416cf6ba14bac987865bcb8df525462edd4b9d77176e58151c4a9a5d9531c4ac5ce730c5a09d6bc534f86845cdc91591c5657496d
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD548424fd8572f28f6c868f60957b91b49
SHA1290bde3c70a931ffd127e1aa1fd0797746224531
SHA256f2a84651743e54b467fd789d6c69c2aaa1f24c71c4ca12ca23e5e252e0b78fe6
SHA512624c35da782077a8b26d3ef9abab47ab516bb2124c10d0e29080c0f9cb1a8d6c477805b77078b155f0ab6dca64c196662abde9b74126d6c581b2dd05998ca807
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7229E30BCFD0992128433D951137A421_E05AAD24A1760FF49820D23FF9F19F45
Filesize406B
MD5085cdff71acfa89cd7dcf3dfd019d359
SHA1435ed0edc1f198d39a0eccba337763bb464fd8dd
SHA256b8a60bfdf27265e238bbe5981b52fe36e8e237951576afd8f72cf8d701b486a4
SHA512c67bf9e30da29c7823bb80ffeef7b66fd16d7eeb4b02f1b88836af36a7cc0bf4a4ac1afa0a34692856ffc651218ac84939d9ba22563c2c72a75418d395a391fc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51a58aff35d518c1822611c139ea73f5a
SHA1304b77bbdcf882aec4566e31370e86363b6de51f
SHA25616ec0fc329455c28308f2ed88d448d91e28715d0f7a79002ab06a59888c5ef50
SHA5120be74dc29f23f4671521bac06ae69f5d8dc092ff4bac03797d249cfc0c9db2b69931f0cf71629eb84b9b98ad14df8fd69d266a10e951e569d80268f2e38c32a1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f4e445ded17192a1368bec15e3cfbef8
SHA1ecf9d1843bff1528a1e65acac6b822f50411984b
SHA256e5fe6a43ae8a88b536713c845a69b0504c7627fdf869e31eb6dbf77c695dc0a0
SHA512a07455e8fe8c2f7f9bf9f6aec2e91215ef7a4f3650e8ab090c855c950b8744f0d3a1cd09e3c5280f39e8e56fc43f9e8a1405fe6f03d0250f3ba8cc1c4d9720cc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d8ad5b9a1474dbf2b5fef23a0e4412d7
SHA16cd39b3744b08e91f08e8d8067fc347edce0b253
SHA256801e338d5cad59c1320f1c4ffeefd7b0a8c186895b90a29781b6a34a97590001
SHA51205f3df1921b84d7eef3f82eecdd721c3b499e08e185206e6844fc78a63fcce6d467441ae3b91fb709940ef1eb01414dd758a0bf8887a5408879dedff37db27b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD536e9bc574189a4866479073fdac8b7c6
SHA1890e0ee160c5f235cc38fa4bb7e0a6737d5f6334
SHA256851b7ec133a62a279447cef200271112fc8f46afc5eb674fcafdaa3b0ebdf8bd
SHA512df57a5591a1d0e99b6bd62b2ef4c8e49e3b374ab524ae9813837759ff997aac94bdb4ee71519208e92e7d521713ecbfea832b3f5622691eda299212227f17f36
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52e1a976e16308d22e321bbac04017044
SHA1e316304be11992fc99a279511af9aae06ad09058
SHA25664f62a435b1a5848f7ba514e6d4bc960ebc3799c62f86ab8bd2f904ddb383020
SHA512ee08cf5652a3afaa37aa623798a4a1df5231a8814e6da26d1dff0a771ca1e371b6784ad69c3962a4355a0a95d00c5e4b6cee6873aa0f7fad5d02f32d9ea4bd23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55e39bb8473e23e16ea71a033405f74fa
SHA17dc6f14b82534e6ed02b5db6017266a3fa628950
SHA256db21618dcb09371e9081da0007e53c6e7c666746ae5e53ae6e50fb342d0f9610
SHA51205388e5a8396002f0df46d496d29ea7ce454f4b86750adbc9a0fdce8b4641bf0c30ff5da9eb076ec78b85b2da688d308a31115b11af7e6ed5ac8657658deff70
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c915471aad84815c500f3fab93b0602b
SHA1ac11cf55b4f487626f8af297db667c294c7887c4
SHA2566892b0e905516a8526262a180f70dd90961cbb13727fb8da751df4e42cd390da
SHA5120e2ceaec571f6cf999d6040af4bf9a8146ac195416646b851185d22dc7aed880099fc539035f4f5b34d3f64d89a80ab7450f3f25eb31fd86fb729fb463ab87c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD598bf361d1ab80a4375fb064d97711716
SHA1d741e573375b0a22584a489cee809ec10628ee8f
SHA2568a186f06acf477d8ccee7e6b3e6ea14e3ec320ad89b0d4767851e5923ca369b8
SHA51253174052f54a1e05597c89da62cd0c4fb96f0fd4b613fa458847cd87a29fd49725c642f14215e4acd84161536c6d078c88ed0812dca23b306f8e23ddd870afdb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5649acf8b1b33a34e5cc4bf81008d6cdf
SHA147fdf27741e1a902968c409886a44514ed9bcd9e
SHA2566fc88104dc1ad44a57c99879905162d551f26406d2efbdc9d7f54765ce14a228
SHA51243470ec20979bb1c52e726aa8d9416e1c75d7480ddaf81080b79941c589c1f43cb6b3a514e3f949fcb3711af22555c66031058cf8d6e4112a9d2c1795d27f0c8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5619b6bdd4462b073c7f9ca052f8bd8bf
SHA11bd7b47de5adf9b7788d8daf8408d752954706e5
SHA2562ef4834c24a8af74a9db27da9d0f28cb10e457c3eec85fee7c6c146552bc1977
SHA512e1bc3e04415e3bb247f31cb235702be53e67b5fa60f3e3c15c24e939e7e949b139f0dd72d523307713faff1b42ad039914d7b2d1d5f72ba83228369fd25f1967
-
Filesize
267B
MD5bf5a472a5db536acc24524a7b3cf8360
SHA17be3a8010b2d73cf50f1c00dc5e498defb3fe09c
SHA256b30741cffaacdea3dd4f94b9a8fcf39a7554c461562734cf6537072aa90c1014
SHA5129bfdeb1c1a4202c985cc7b4494abba422b0baa50e0320e4edffec353fe009639400a2c2f598825dbac004e4c2fcad11641bf0aa6d6b2a691040aad7dee822f4e
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\Temp\HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe
Filesize1.7MB
MD5e5c1d18c7c6e90423f929b4af17a0118
SHA1fe031fa04dfff23881fec211e5584bc771995598
SHA256a790cb5815f1220885ee4221f61659913626c4a5151df19f1ee7965f99d3c1c5
SHA512b78fcb50a4950d44bbece4ee53f57f69a9026e3d57b422578adc731671c860ee4b3411a3cdabce0c9a4af2ce43c188bd1dca0d79fdfab547b3ad812e4a37008f
-
Filesize
1.3MB
MD5f220d9369aebfed8404cfeadd8f3a818
SHA186c0095799f2937a9296d030c5b00475424779de
SHA256c4af430a63b0c6576f38440dca4f25286ac0fc16f017c86701f31d10449c8e88
SHA5123937316c9279274eeefbd8aef410d3cd72c784d9cf4981319bdd91eca8ff37dcf69e266b1b99bf5dfd0b7b0a2ba582d07eff1e21f753590ebf25a03ec960a13e
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD56c5d7c94925041291ece8865b800f548
SHA12563e7eae9ba6a2ce5ae0d7c75ae779ab8f597ad
SHA256e59c28dd373640adf7bd6d983a8fab44ae276b34e4914431f2ccf3bd7086793c
SHA5123955647485f3c54ff05aa873e293dec0dd21afd381419630745eeb4d6c5b7f279b687dd998045994f9b334e4c1aa8af0445876b71a243800dfadacecaff3bdbc