Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-12-2024 14:57
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe
Resource
win7-20240903-en
General
-
Target
2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe
-
Size
3.0MB
-
MD5
7e6bbbe6f0d2afbcdab740efe8b1db6f
-
SHA1
c3b6d18fe165dabf9b63ea394fcfe2c4cdaa8e7c
-
SHA256
a44848c7375696bfbeedcc854d522757b99432d73d3e5d17d4e3a4c7525a89d2
-
SHA512
78f5a011d40aed230af7d38979ddf9184bcb2d81e9da99a21e16b8b923e5405fcfcf7b90be442f72a90d083a555972db1bf3fafc1fda13af20159b953cc55010
-
SSDEEP
98304:BGdVyVT9nOgmhvnG/wNbTC+vipJ2bsQ+VnG/ws:+WT9nO71+wF/ilQ+V+ws
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2668-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2668-8-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2668-12-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2880-30-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2880-29-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2720-25-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2880-37-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2880-34-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2880-39-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 10 IoCs
resource yara_rule behavioral1/memory/2668-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2668-8-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2668-12-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2880-30-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2880-29-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/files/0x0007000000018731-32.dat family_gh0strat behavioral1/memory/2720-25-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2880-37-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2880-34-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2880-39-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259453203.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
A potential corporate email address has been identified in the URL: icon-macOS@2x_ebb427cc.png
-
A potential corporate email address has been identified in the URL: icon_hover_macOS@2x_bf56032.png
-
A potential corporate email address has been identified in the URL: icon_hover_windows@2x_1ab1eec.png
-
A potential corporate email address has been identified in the URL: icon_normal_Android@2x_fd21f9a9.png
-
A potential corporate email address has been identified in the URL: icon_normal_Apple@2x_ec4d2a17.png
-
A potential corporate email address has been identified in the URL: icon_normal_DECK@2x_8559407c.png
-
A potential corporate email address has been identified in the URL: icon_normal_Pico@2x_e278ad60.png
-
A potential corporate email address has been identified in the URL: icon_normal_Playstation@2x_e5ad2adf.png
-
A potential corporate email address has been identified in the URL: icon_normal_Quest@2x_fa9f1659.png
-
A potential corporate email address has been identified in the URL: icon_normal_Switch@2x_d6d51ce7.png
-
A potential corporate email address has been identified in the URL: icon_normal_Xbox@2x_d6501e3f.png
-
A potential corporate email address has been identified in the URL: icon_normal_macOS@2x_23018f4c.png
-
A potential corporate email address has been identified in the URL: icon_normal_next@2x_8f139c4f.png
-
A potential corporate email address has been identified in the URL: icon_normal_windows@2x_27887efc.png
-
A potential corporate email address has been identified in the URL: icon_support_console@2x_ddad8f37.png
-
A potential corporate email address has been identified in the URL: icon_support_mobile@2x_f10457d6.png
-
Executes dropped EXE 6 IoCs
pid Process 2668 svchost.exe 2720 TXPlatforn.exe 2880 TXPlatforn.exe 2300 svchos.exe 1352 HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 924 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Loads dropped DLL 8 IoCs
pid Process 1964 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 2720 TXPlatforn.exe 1964 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 2300 svchos.exe 1756 svchost.exe 1964 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 1756 svchost.exe 924 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File created C:\Windows\SysWOW64\259453203.txt svchos.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe -
resource yara_rule behavioral1/memory/2668-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2668-8-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2668-12-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2668-5-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2880-30-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2880-29-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2880-27-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2720-25-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2880-37-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2880-34-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2880-39-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TXPlatforn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2712 cmd.exe 2600 PING.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\163.com\Total = "77" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\uu.163.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\163.com\Total = "47" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "77" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439572558" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "29" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "47" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\163.com\Total = "29" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\uu.163.com\ = "47" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{58170A51-B319-11EF-8F1B-EAF933E40231} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\163.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\163.com\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\uu.163.com\ = "29" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\uu.163.com\ = "77" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2600 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1964 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2880 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2668 svchost.exe Token: SeLoadDriverPrivilege 2880 TXPlatforn.exe Token: 33 2880 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2880 TXPlatforn.exe Token: 33 2880 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2880 TXPlatforn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 332 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1964 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 1964 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 332 iexplore.exe 332 iexplore.exe 1100 IEXPLORE.EXE 1100 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2668 1964 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 30 PID 1964 wrote to memory of 2668 1964 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 30 PID 1964 wrote to memory of 2668 1964 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 30 PID 1964 wrote to memory of 2668 1964 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 30 PID 1964 wrote to memory of 2668 1964 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 30 PID 1964 wrote to memory of 2668 1964 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 30 PID 1964 wrote to memory of 2668 1964 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 30 PID 2668 wrote to memory of 2712 2668 svchost.exe 32 PID 2668 wrote to memory of 2712 2668 svchost.exe 32 PID 2668 wrote to memory of 2712 2668 svchost.exe 32 PID 2668 wrote to memory of 2712 2668 svchost.exe 32 PID 2720 wrote to memory of 2880 2720 TXPlatforn.exe 33 PID 2720 wrote to memory of 2880 2720 TXPlatforn.exe 33 PID 2720 wrote to memory of 2880 2720 TXPlatforn.exe 33 PID 2720 wrote to memory of 2880 2720 TXPlatforn.exe 33 PID 2720 wrote to memory of 2880 2720 TXPlatforn.exe 33 PID 2720 wrote to memory of 2880 2720 TXPlatforn.exe 33 PID 2720 wrote to memory of 2880 2720 TXPlatforn.exe 33 PID 1964 wrote to memory of 2300 1964 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 35 PID 1964 wrote to memory of 2300 1964 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 35 PID 1964 wrote to memory of 2300 1964 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 35 PID 1964 wrote to memory of 2300 1964 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 35 PID 2712 wrote to memory of 2600 2712 cmd.exe 36 PID 2712 wrote to memory of 2600 2712 cmd.exe 36 PID 2712 wrote to memory of 2600 2712 cmd.exe 36 PID 2712 wrote to memory of 2600 2712 cmd.exe 36 PID 1964 wrote to memory of 1352 1964 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 39 PID 1964 wrote to memory of 1352 1964 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 39 PID 1964 wrote to memory of 1352 1964 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 39 PID 1964 wrote to memory of 1352 1964 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 39 PID 1756 wrote to memory of 924 1756 svchost.exe 40 PID 1756 wrote to memory of 924 1756 svchost.exe 40 PID 1756 wrote to memory of 924 1756 svchost.exe 40 PID 1756 wrote to memory of 924 1756 svchost.exe 40 PID 1352 wrote to memory of 332 1352 HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 41 PID 1352 wrote to memory of 332 1352 HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 41 PID 1352 wrote to memory of 332 1352 HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 41 PID 1352 wrote to memory of 332 1352 HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 41 PID 332 wrote to memory of 1100 332 iexplore.exe 42 PID 332 wrote to memory of 1100 332 iexplore.exe 42 PID 332 wrote to memory of 1100 332 iexplore.exe 42 PID 332 wrote to memory of 1100 332 iexplore.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2600
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exeC:\Users\Admin\AppData\Local\Temp\HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://uu.163.com/3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:332 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1100
-
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:2644
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259453203.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:924
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD5caa3e00f73fa0297ea22f403cf436fba
SHA1689db1b679d99f41b0404a5be520682546682c58
SHA256604349300304ef1885a60ac0f8104c85381ad0d49736389014f45754d3b42cec
SHA51254ccc4331a7409b6867de7078deb275874dcdb7f441436379fed6e0227dca8a47116cb4e9fdf4384171d1c9c22849826b080731b39714ae2b0da97073b4c8ed5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ba474fbeddbe2a05a7cb01c010528448
SHA138df464a2e36e102ebd3bb8a9f4cdb174dd549dc
SHA2565f8a2e742bde7ca06399a781733abbea45a7b09429c9f9849b4419a95291126b
SHA51272b63f3401aa2eaa213f48b52205440a7b00a3451cd79867a1a3e2191a66900a90d48436f00bef943fdd5f724bb90a127081d1c055ef09436d2f3516f9ce214b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD572db1ca4926887453c50efc57525295b
SHA157886f27b28bb6979a51ecc9c3a3c72fb0fa2bfd
SHA2567092d13da534cc439c6f9429d19b876849343fed1abd007d445007f7b7e47967
SHA512fefc510c9c8ffe25696f830127e5a4d5a07dafe106c4c9079765b205caf6f4ccee656169fdb5d956d10cf6f558708a86613e5a94426acbd30744788c6708dc3f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53d5134bc1ade54b00c07e0cd30e92a49
SHA1fddbcb6efcef00def9138f1149cf839c4b0317b1
SHA2569b9b976a885bc8763ee79ab54b0112de9f6721c06ae535dcb2464b6716b0ec9a
SHA512e0c0f8776df80ba84b3d3bcb0995442b189e30828dbc86ad0f0672944e034fecfea379014381756d75326b5d635ac2e5dab9e25bbe60f8afd55d9a4a6cbd214d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d5e33e0508c6b4fdbe0550626af317ed
SHA1d0aa080a46766d1599ff01bbd6bcfa06a1b9c3b0
SHA25600ae9fecce301b00477375f4cd274ea27c82e51de373e8c559cde52a0fcb4b85
SHA5129c36db9ac209dbbc3a1f81c7a6c7017c0d20a02bbc64872f2908b28c8a08049d5028d104d18229f5d27a193451718541e940ce4acad663f93b46efaab7e719d4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a4077e0a458fc4fd866184e14774523f
SHA1d1fca45446e8c7df56511e9f1c0ee4bc1c16eb17
SHA256c4d9058f6202605bef02407217606cc3f2b650d34cef1ddc4a67ff681c0bb212
SHA512a646c479c5cfd26535f0db89334841be9d34e8a3f569a6372d7e7e2fb70436d75262138e7abf8a7849acef05ffc0f43a5cc2a81783188e013915113554c48ec8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5be8f9de2c8d8e679c1f4e7252df36cea
SHA1bb39051542f3f63060de4412f12c8e1aa999fc83
SHA256a0217aef4533ac2230ad9f7b4521ad1965039011cc7168d04cdf928165507050
SHA5124a2aab438d09243a2c8f0fddd764e23e9ef5eb0d57668e0397ce8ad92f0c11988b5cfc906070325011d9508b234b63f030896160f83aaf1967a404f5901d920d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD525b10790f7e447a6a30a226645ac6908
SHA1414a3b59b2d914cad7b60b3973aae4ed84f63c01
SHA256422b6e524040acee20fc89c809344de165735d9b86ebf66587ca4c9f6cbc7282
SHA5123f468cbfa9673537b7f11fa33305a14725cd1d721b89fc5df32cc1fadee738b54b5d1b7b8200fd2d3f6924048be88adf4fb3c18cf89ae51062d774ff9bd859de
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ac6d904c393e8f2075bab0ecbf7ced36
SHA1fef838216d7c96fbc51982aaf9b7afd18a4f8708
SHA2565d0725bb6425d12d162d384a31a3bc6428d4f001a7523c5c15f3b61ac7bf5296
SHA512d858a206ff2dcbd7a96102577c1edbed92c12c27f7bd3f1b7dc6ff0710a1b1db513ee72c2d5071e6ff5072fe2a7034b6b0b33eef8aec48ccda4476f130b4cb92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD533d739f2ed008108b62b69711611e4d4
SHA18a67971e7f91cdf49aa5672e998de028f974f2e4
SHA2564cd14006432ba7d47afeee5d0aa3df6fcb30e31f39616602c287337e42a0205a
SHA51220f4fd01ef14f73b4d48ed87295231659509b8f99553a8fa1a471ea98261f5885abf4f321923de6e1bb10bf27d7c4789943e6b5311bc8feff29f1e75c8aa25ef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD528eb0da865a4129cbb7c468e02f23697
SHA1009a4782269f6bca1a62eac9a131d96b970765f3
SHA2564ff55b24e4544e54cc1f2a990c040d6e9bf6556afa54698d8f63ca67c066b492
SHA512265448b643a54774d780d7bfe3b039377b9f375419851e557a48a54cf3b6af222da40e529d94553fd08f7294443ef2b921905fba25843a83216b2f58a96f0c7f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5a6f4bb690921716be9bf70b2c359d449
SHA1baa7fea1362f1e1587f7616950ee81640fc7c6d7
SHA256c545472fba0e1ab8dbc3f30c34f4146f9bd863cba0e196788e7c5e573d44be47
SHA5129678d37a1bc70b7730015a165d9afb01850229e3a1a47c51eb77fd3e0642e2f7f141d1404219e5502e415d27f8abc0a595af5fa779c9518566edaedf4aea6ac2
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
1.3MB
MD5f220d9369aebfed8404cfeadd8f3a818
SHA186c0095799f2937a9296d030c5b00475424779de
SHA256c4af430a63b0c6576f38440dca4f25286ac0fc16f017c86701f31d10449c8e88
SHA5123937316c9279274eeefbd8aef410d3cd72c784d9cf4981319bdd91eca8ff37dcf69e266b1b99bf5dfd0b7b0a2ba582d07eff1e21f753590ebf25a03ec960a13e
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
\Users\Admin\AppData\Local\Temp\HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe
Filesize1.7MB
MD5e5c1d18c7c6e90423f929b4af17a0118
SHA1fe031fa04dfff23881fec211e5584bc771995598
SHA256a790cb5815f1220885ee4221f61659913626c4a5151df19f1ee7965f99d3c1c5
SHA512b78fcb50a4950d44bbece4ee53f57f69a9026e3d57b422578adc731671c860ee4b3411a3cdabce0c9a4af2ce43c188bd1dca0d79fdfab547b3ad812e4a37008f
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
50KB
MD532e78a0ecdf775b7561330b210b4571a
SHA11c6b26621d7ec28710f0cdee765cc52c2c0342bd
SHA2561de4533487a01125b7529af30436dc67f27698d5d1d134729170b03cee283c77
SHA51287579109006faf3993d42cd4d4a6e90f831b301718d77b0e8b0e96b5d995f36a9c03dd82f58583d2e20b493ce7476948f134dde4be438df37650e8b642aa7b20
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d