Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2024 14:50
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe
Resource
win7-20240903-en
General
-
Target
2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe
-
Size
3.0MB
-
MD5
7e6bbbe6f0d2afbcdab740efe8b1db6f
-
SHA1
c3b6d18fe165dabf9b63ea394fcfe2c4cdaa8e7c
-
SHA256
a44848c7375696bfbeedcc854d522757b99432d73d3e5d17d4e3a4c7525a89d2
-
SHA512
78f5a011d40aed230af7d38979ddf9184bcb2d81e9da99a21e16b8b923e5405fcfcf7b90be442f72a90d083a555972db1bf3fafc1fda13af20159b953cc55010
-
SSDEEP
98304:BGdVyVT9nOgmhvnG/wNbTC+vipJ2bsQ+VnG/ws:+WT9nO71+wF/ilQ+V+ws
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3096-6-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3096-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3096-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2300-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2300-19-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2300-26-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3768-31-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3768-30-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3768-54-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3768-88-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2300-16-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 12 IoCs
resource yara_rule behavioral2/memory/3096-6-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3096-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3096-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2300-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2300-19-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2300-26-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/files/0x000a000000023b82-24.dat family_gh0strat behavioral2/memory/3768-31-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3768-30-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3768-54-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3768-88-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2300-16-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240609343.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HD_msedge.exe -
Executes dropped EXE 24 IoCs
pid Process 3096 svchost.exe 2300 TXPlatforn.exe 4872 svchos.exe 3768 TXPlatforn.exe 5052 HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 2336 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe 668 msedge.exe 2168 svchost.exe 2328 TXPlatforn.exe 2716 TXPlatforn.exe 4148 svchos.exe 3232 HD_msedge.exe 3124 HD_msedge.exe 3928 HD_msedge.exe 4404 HD_msedge.exe 4468 HD_msedge.exe 4356 HD_msedge.exe 4380 HD_msedge.exe 3648 HD_msedge.exe 4572 HD_msedge.exe 4868 HD_msedge.exe 3120 HD_msedge.exe 3684 HD_msedge.exe 3468 HD_msedge.exe -
Loads dropped DLL 3 IoCs
pid Process 4872 svchos.exe 4900 svchost.exe 2336 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HD_msedge.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer HD_msedge.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName HD_msedge.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File created C:\Windows\SysWOW64\240609343.txt svchos.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe -
resource yara_rule behavioral2/memory/3096-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3096-4-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3096-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3096-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2300-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2300-19-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2300-26-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3768-28-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3768-31-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3768-30-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3768-54-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3768-88-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2300-16-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2300-13-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TXPlatforn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TXPlatforn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msedge.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4588 PING.EXE 2380 cmd.exe 4228 cmd.exe 3040 PING.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS HD_msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer HD_msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName HD_msedge.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 4588 PING.EXE 3040 PING.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1376 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 1376 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 668 msedge.exe 668 msedge.exe 4468 HD_msedge.exe 4468 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 448 identity_helper.exe 448 identity_helper.exe 3468 HD_msedge.exe 3468 HD_msedge.exe 3468 HD_msedge.exe 3468 HD_msedge.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3768 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3096 svchost.exe Token: SeLoadDriverPrivilege 3768 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2168 svchost.exe Token: 33 3768 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 3768 TXPlatforn.exe Token: 33 3768 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 3768 TXPlatforn.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe 3232 HD_msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1376 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 1376 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 668 msedge.exe 668 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1376 wrote to memory of 3096 1376 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 83 PID 1376 wrote to memory of 3096 1376 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 83 PID 1376 wrote to memory of 3096 1376 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 83 PID 3096 wrote to memory of 2380 3096 svchost.exe 85 PID 3096 wrote to memory of 2380 3096 svchost.exe 85 PID 3096 wrote to memory of 2380 3096 svchost.exe 85 PID 1376 wrote to memory of 4872 1376 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 86 PID 1376 wrote to memory of 4872 1376 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 86 PID 1376 wrote to memory of 4872 1376 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 86 PID 2300 wrote to memory of 3768 2300 TXPlatforn.exe 87 PID 2300 wrote to memory of 3768 2300 TXPlatforn.exe 87 PID 2300 wrote to memory of 3768 2300 TXPlatforn.exe 87 PID 1376 wrote to memory of 5052 1376 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 91 PID 1376 wrote to memory of 5052 1376 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 91 PID 1376 wrote to memory of 5052 1376 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 91 PID 2380 wrote to memory of 4588 2380 cmd.exe 92 PID 2380 wrote to memory of 4588 2380 cmd.exe 92 PID 2380 wrote to memory of 4588 2380 cmd.exe 92 PID 4900 wrote to memory of 2336 4900 svchost.exe 94 PID 4900 wrote to memory of 2336 4900 svchost.exe 94 PID 4900 wrote to memory of 2336 4900 svchost.exe 94 PID 5052 wrote to memory of 668 5052 HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 96 PID 5052 wrote to memory of 668 5052 HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 96 PID 5052 wrote to memory of 668 5052 HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 96 PID 668 wrote to memory of 2168 668 msedge.exe 97 PID 668 wrote to memory of 2168 668 msedge.exe 97 PID 668 wrote to memory of 2168 668 msedge.exe 97 PID 2328 wrote to memory of 2716 2328 TXPlatforn.exe 99 PID 2328 wrote to memory of 2716 2328 TXPlatforn.exe 99 PID 2328 wrote to memory of 2716 2328 TXPlatforn.exe 99 PID 2168 wrote to memory of 4228 2168 svchost.exe 100 PID 2168 wrote to memory of 4228 2168 svchost.exe 100 PID 2168 wrote to memory of 4228 2168 svchost.exe 100 PID 668 wrote to memory of 4148 668 msedge.exe 101 PID 668 wrote to memory of 4148 668 msedge.exe 101 PID 668 wrote to memory of 4148 668 msedge.exe 101 PID 4228 wrote to memory of 3040 4228 cmd.exe 104 PID 4228 wrote to memory of 3040 4228 cmd.exe 104 PID 4228 wrote to memory of 3040 4228 cmd.exe 104 PID 668 wrote to memory of 3232 668 msedge.exe 103 PID 668 wrote to memory of 3232 668 msedge.exe 103 PID 3232 wrote to memory of 3124 3232 HD_msedge.exe 105 PID 3232 wrote to memory of 3124 3232 HD_msedge.exe 105 PID 3232 wrote to memory of 3928 3232 HD_msedge.exe 106 PID 3232 wrote to memory of 3928 3232 HD_msedge.exe 106 PID 3232 wrote to memory of 3928 3232 HD_msedge.exe 106 PID 3232 wrote to memory of 3928 3232 HD_msedge.exe 106 PID 3232 wrote to memory of 3928 3232 HD_msedge.exe 106 PID 3232 wrote to memory of 3928 3232 HD_msedge.exe 106 PID 3232 wrote to memory of 3928 3232 HD_msedge.exe 106 PID 3232 wrote to memory of 3928 3232 HD_msedge.exe 106 PID 3232 wrote to memory of 3928 3232 HD_msedge.exe 106 PID 3232 wrote to memory of 3928 3232 HD_msedge.exe 106 PID 3232 wrote to memory of 3928 3232 HD_msedge.exe 106 PID 3232 wrote to memory of 3928 3232 HD_msedge.exe 106 PID 3232 wrote to memory of 3928 3232 HD_msedge.exe 106 PID 3232 wrote to memory of 3928 3232 HD_msedge.exe 106 PID 3232 wrote to memory of 3928 3232 HD_msedge.exe 106 PID 3232 wrote to memory of 3928 3232 HD_msedge.exe 106 PID 3232 wrote to memory of 3928 3232 HD_msedge.exe 106 PID 3232 wrote to memory of 3928 3232 HD_msedge.exe 106 PID 3232 wrote to memory of 3928 3232 HD_msedge.exe 106 PID 3232 wrote to memory of 3928 3232 HD_msedge.exe 106 PID 3232 wrote to memory of 3928 3232 HD_msedge.exe 106 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection HD_msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4588
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4872
-
-
C:\Users\Admin\AppData\Local\Temp\HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exeC:\Users\Admin\AppData\Local\Temp\HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://uu.163.com/3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3040
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3232 -
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff90ba046f8,0x7ff90ba04708,0x7ff90ba047185⤵
- Executes dropped EXE
PID:3124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2080,3345462886712624423,1438725507934884038,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:25⤵
- Executes dropped EXE
PID:3928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,3345462886712624423,1438725507934884038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,3345462886712624423,1438725507934884038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:85⤵
- Executes dropped EXE
PID:4404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2080,3345462886712624423,1438725507934884038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:4356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2080,3345462886712624423,1438725507934884038,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:4380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2080,3345462886712624423,1438725507934884038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2080,3345462886712624423,1438725507934884038,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,3345462886712624423,1438725507934884038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:85⤵PID:3892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,3345462886712624423,1438725507934884038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2080,3345462886712624423,1438725507934884038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:4868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2080,3345462886712624423,1438725507934884038,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2080,3345462886712624423,1438725507934884038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2080,3345462886712624423,1438725507934884038,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1464 /prefetch:25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3468
-
-
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3768
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:2404
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240609343.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2336
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Executes dropped EXE
PID:2716
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1236
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2012
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5ad8536c7440638d40156e883ac25086e
SHA1fa9e8b7fb10473a01b8925c4c5b0888924a1147c
SHA25673d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a
SHA512b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe
-
Filesize
4.5MB
MD5697617425733ed9a6a15042d32d6da12
SHA1746ff10a1a8cba31f6ce2952a3210ee5ff5b4609
SHA256cc8d88024ea3937f400515aabdf4720d7bcb05cd294efbb8993bc8e4c1d193f6
SHA512a62e453b1b789cde4e5de70f29e384bd41ef5a86d9a5a67c7421eaff8c0a601ff0943cf7a97385a87759d7a5a25b358cd67c3cd29b3921b3996403a1897f0b8f
-
Filesize
152B
MD537f660dd4b6ddf23bc37f5c823d1c33a
SHA11c35538aa307a3e09d15519df6ace99674ae428b
SHA2564e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d
-
Filesize
152B
MD5d7cb450b1315c63b1d5d89d98ba22da5
SHA1694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA25638355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8
-
Filesize
5KB
MD5ac5d55de300ae423df10b8d5e694725e
SHA1b034691c1db4583d81cfe37b9e4e65321afc2394
SHA25604e7db5a74ca2e136e082491b21d1f0e28758ce6187fb362af573ebe0578a18d
SHA512bb281a9217ef15cb12a61e8002ca244457bafb9488ccf8d62a0de5d73dec58e75d381c69fe78742b0d4f2f39fb729c76f6d05a69d9acf45723fe5b68785cadea
-
Filesize
6KB
MD5b52f045b7a4af486fb8b7e100c7806b2
SHA1e8fadf65448a00cc422a4b33a0cd31d5c53c0edb
SHA256882af2e0883ce77c016812898761dd791bbe300b0bc480debfe44d5d11ea2f89
SHA51250168d28ba46504d8a7d1d30431193814d6529084fb45a024b845aa040be708c68f9cf03e3fa4e0b3125bce2e20cf6fe502ed7f63779437b530bf0744ee48b06
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD540e7ad51b722727c989b36dbe256a017
SHA1e3285ca367357fd742d04c2b7e04df263b7d217c
SHA256f1d65158fa6b07ffbcc885ec2d643556679acde9eb936677f3e92a95c96aac49
SHA5129208dc499de892435329af0bb85f223fc6202370d8aefe3a899b21fcfac090c8aee6fb365229ca036521e2a60b0835c8c41561c7057fbed8b1327f13165545b2
-
C:\Users\Admin\AppData\Local\Temp\HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe
Filesize1.7MB
MD5e5c1d18c7c6e90423f929b4af17a0118
SHA1fe031fa04dfff23881fec211e5584bc771995598
SHA256a790cb5815f1220885ee4221f61659913626c4a5151df19f1ee7965f99d3c1c5
SHA512b78fcb50a4950d44bbece4ee53f57f69a9026e3d57b422578adc731671c860ee4b3411a3cdabce0c9a4af2ce43c188bd1dca0d79fdfab547b3ad812e4a37008f
-
Filesize
1.3MB
MD5f220d9369aebfed8404cfeadd8f3a818
SHA186c0095799f2937a9296d030c5b00475424779de
SHA256c4af430a63b0c6576f38440dca4f25286ac0fc16f017c86701f31d10449c8e88
SHA5123937316c9279274eeefbd8aef410d3cd72c784d9cf4981319bdd91eca8ff37dcf69e266b1b99bf5dfd0b7b0a2ba582d07eff1e21f753590ebf25a03ec960a13e
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD56c5d7c94925041291ece8865b800f548
SHA12563e7eae9ba6a2ce5ae0d7c75ae779ab8f597ad
SHA256e59c28dd373640adf7bd6d983a8fab44ae276b34e4914431f2ccf3bd7086793c
SHA5123955647485f3c54ff05aa873e293dec0dd21afd381419630745eeb4d6c5b7f279b687dd998045994f9b334e4c1aa8af0445876b71a243800dfadacecaff3bdbc
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641