Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2024 14:57
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe
Resource
win7-20240903-en
General
-
Target
2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe
-
Size
3.0MB
-
MD5
7e6bbbe6f0d2afbcdab740efe8b1db6f
-
SHA1
c3b6d18fe165dabf9b63ea394fcfe2c4cdaa8e7c
-
SHA256
a44848c7375696bfbeedcc854d522757b99432d73d3e5d17d4e3a4c7525a89d2
-
SHA512
78f5a011d40aed230af7d38979ddf9184bcb2d81e9da99a21e16b8b923e5405fcfcf7b90be442f72a90d083a555972db1bf3fafc1fda13af20159b953cc55010
-
SSDEEP
98304:BGdVyVT9nOgmhvnG/wNbTC+vipJ2bsQ+VnG/ws:+WT9nO71+wF/ilQ+V+ws
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3100-6-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3100-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3100-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4480-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4480-18-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4480-16-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4480-27-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1244-42-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1244-41-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1244-43-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1244-48-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1244-47-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 13 IoCs
resource yara_rule behavioral2/memory/3100-6-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3100-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3100-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4480-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4480-18-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4480-16-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/files/0x000a000000023b9f-31.dat family_gh0strat behavioral2/memory/4480-27-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1244-42-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1244-41-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1244-43-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1244-48-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1244-47-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240618078.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HD_msedge.exe -
Executes dropped EXE 24 IoCs
pid Process 3100 svchost.exe 4480 TXPlatforn.exe 2736 svchos.exe 1244 TXPlatforn.exe 832 HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 3612 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe 4476 msedge.exe 4748 svchost.exe 2392 TXPlatforn.exe 3076 svchos.exe 2304 TXPlatforn.exe 3848 HD_msedge.exe 3408 HD_msedge.exe 1912 HD_msedge.exe 3312 HD_msedge.exe 3900 HD_msedge.exe 4936 HD_msedge.exe 3952 HD_msedge.exe 3720 HD_msedge.exe 4960 HD_msedge.exe 4908 HD_msedge.exe 3872 HD_msedge.exe 4936 HD_msedge.exe 1136 HD_msedge.exe -
Loads dropped DLL 3 IoCs
pid Process 2736 svchos.exe 5064 svchost.exe 3612 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HD_msedge.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer HD_msedge.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName HD_msedge.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File created C:\Windows\SysWOW64\240618078.txt svchos.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe -
resource yara_rule behavioral2/memory/3100-5-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3100-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3100-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3100-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4480-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4480-18-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4480-16-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4480-27-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1244-42-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1244-41-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1244-39-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4480-13-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1244-43-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1244-48-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1244-47-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TXPlatforn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TXPlatforn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msedge.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1160 cmd.exe 2592 cmd.exe 4424 PING.EXE 2412 PING.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName HD_msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS HD_msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer HD_msedge.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2412 PING.EXE 4424 PING.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 4484 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 4484 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 4476 msedge.exe 4476 msedge.exe 3312 HD_msedge.exe 3312 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3904 identity_helper.exe 3904 identity_helper.exe 1136 HD_msedge.exe 1136 HD_msedge.exe 1136 HD_msedge.exe 1136 HD_msedge.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1244 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3100 svchost.exe Token: SeLoadDriverPrivilege 1244 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 4748 svchost.exe Token: 33 1244 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 1244 TXPlatforn.exe Token: 33 1244 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 1244 TXPlatforn.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe 3848 HD_msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4484 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 4484 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 4476 msedge.exe 4476 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4484 wrote to memory of 3100 4484 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 82 PID 4484 wrote to memory of 3100 4484 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 82 PID 4484 wrote to memory of 3100 4484 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 82 PID 3100 wrote to memory of 1160 3100 svchost.exe 84 PID 3100 wrote to memory of 1160 3100 svchost.exe 84 PID 3100 wrote to memory of 1160 3100 svchost.exe 84 PID 4484 wrote to memory of 2736 4484 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 85 PID 4484 wrote to memory of 2736 4484 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 85 PID 4484 wrote to memory of 2736 4484 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 85 PID 4480 wrote to memory of 1244 4480 TXPlatforn.exe 86 PID 4480 wrote to memory of 1244 4480 TXPlatforn.exe 86 PID 4480 wrote to memory of 1244 4480 TXPlatforn.exe 86 PID 4484 wrote to memory of 832 4484 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 89 PID 4484 wrote to memory of 832 4484 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 89 PID 4484 wrote to memory of 832 4484 2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 89 PID 1160 wrote to memory of 2412 1160 cmd.exe 91 PID 1160 wrote to memory of 2412 1160 cmd.exe 91 PID 1160 wrote to memory of 2412 1160 cmd.exe 91 PID 5064 wrote to memory of 3612 5064 svchost.exe 92 PID 5064 wrote to memory of 3612 5064 svchost.exe 92 PID 5064 wrote to memory of 3612 5064 svchost.exe 92 PID 832 wrote to memory of 4476 832 HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 95 PID 832 wrote to memory of 4476 832 HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 95 PID 832 wrote to memory of 4476 832 HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe 95 PID 4476 wrote to memory of 4748 4476 msedge.exe 96 PID 4476 wrote to memory of 4748 4476 msedge.exe 96 PID 4476 wrote to memory of 4748 4476 msedge.exe 96 PID 4748 wrote to memory of 2592 4748 svchost.exe 99 PID 4748 wrote to memory of 2592 4748 svchost.exe 99 PID 4748 wrote to memory of 2592 4748 svchost.exe 99 PID 4476 wrote to memory of 3076 4476 msedge.exe 100 PID 4476 wrote to memory of 3076 4476 msedge.exe 100 PID 4476 wrote to memory of 3076 4476 msedge.exe 100 PID 2392 wrote to memory of 2304 2392 TXPlatforn.exe 101 PID 2392 wrote to memory of 2304 2392 TXPlatforn.exe 101 PID 2392 wrote to memory of 2304 2392 TXPlatforn.exe 101 PID 4476 wrote to memory of 3848 4476 msedge.exe 102 PID 4476 wrote to memory of 3848 4476 msedge.exe 102 PID 3848 wrote to memory of 3408 3848 HD_msedge.exe 103 PID 3848 wrote to memory of 3408 3848 HD_msedge.exe 103 PID 2592 wrote to memory of 4424 2592 cmd.exe 105 PID 2592 wrote to memory of 4424 2592 cmd.exe 105 PID 2592 wrote to memory of 4424 2592 cmd.exe 105 PID 3848 wrote to memory of 1912 3848 HD_msedge.exe 107 PID 3848 wrote to memory of 1912 3848 HD_msedge.exe 107 PID 3848 wrote to memory of 1912 3848 HD_msedge.exe 107 PID 3848 wrote to memory of 1912 3848 HD_msedge.exe 107 PID 3848 wrote to memory of 1912 3848 HD_msedge.exe 107 PID 3848 wrote to memory of 1912 3848 HD_msedge.exe 107 PID 3848 wrote to memory of 1912 3848 HD_msedge.exe 107 PID 3848 wrote to memory of 1912 3848 HD_msedge.exe 107 PID 3848 wrote to memory of 1912 3848 HD_msedge.exe 107 PID 3848 wrote to memory of 1912 3848 HD_msedge.exe 107 PID 3848 wrote to memory of 1912 3848 HD_msedge.exe 107 PID 3848 wrote to memory of 1912 3848 HD_msedge.exe 107 PID 3848 wrote to memory of 1912 3848 HD_msedge.exe 107 PID 3848 wrote to memory of 1912 3848 HD_msedge.exe 107 PID 3848 wrote to memory of 1912 3848 HD_msedge.exe 107 PID 3848 wrote to memory of 1912 3848 HD_msedge.exe 107 PID 3848 wrote to memory of 1912 3848 HD_msedge.exe 107 PID 3848 wrote to memory of 1912 3848 HD_msedge.exe 107 PID 3848 wrote to memory of 1912 3848 HD_msedge.exe 107 PID 3848 wrote to memory of 1912 3848 HD_msedge.exe 107 PID 3848 wrote to memory of 1912 3848 HD_msedge.exe 107 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection HD_msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2412
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2736
-
-
C:\Users\Admin\AppData\Local\Temp\HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exeC:\Users\Admin\AppData\Local\Temp\HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://uu.163.com/3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4424
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3848 -
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9797246f8,0x7ff979724708,0x7ff9797247185⤵
- Executes dropped EXE
PID:3408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2004,2276299255056779769,14848102586962098354,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:25⤵
- Executes dropped EXE
PID:1912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,2276299255056779769,14848102586962098354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,2276299255056779769,14848102586962098354,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:85⤵
- Executes dropped EXE
PID:3900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2004,2276299255056779769,14848102586962098354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:4936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2004,2276299255056779769,14848102586962098354,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2004,2276299255056779769,14848102586962098354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2004,2276299255056779769,14848102586962098354,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,2276299255056779769,14848102586962098354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:85⤵PID:3540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,2276299255056779769,14848102586962098354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:3904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2004,2276299255056779769,14848102586962098354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:4908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2004,2276299255056779769,14848102586962098354,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2004,2276299255056779769,14848102586962098354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:4936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2004,2276299255056779769,14848102586962098354,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 /prefetch:25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1136
-
-
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1244
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:3016
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240618078.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3612
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Executes dropped EXE
PID:2304
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3872
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4924
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5ad8536c7440638d40156e883ac25086e
SHA1fa9e8b7fb10473a01b8925c4c5b0888924a1147c
SHA25673d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a
SHA512b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe
-
Filesize
4.5MB
MD5697617425733ed9a6a15042d32d6da12
SHA1746ff10a1a8cba31f6ce2952a3210ee5ff5b4609
SHA256cc8d88024ea3937f400515aabdf4720d7bcb05cd294efbb8993bc8e4c1d193f6
SHA512a62e453b1b789cde4e5de70f29e384bd41ef5a86d9a5a67c7421eaff8c0a601ff0943cf7a97385a87759d7a5a25b358cd67c3cd29b3921b3996403a1897f0b8f
-
Filesize
152B
MD5e443ee4336fcf13c698b8ab5f3c173d0
SHA19bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA25679e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd
-
Filesize
152B
MD556a4f78e21616a6e19da57228569489b
SHA121bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b
-
Filesize
6KB
MD5f7adc2b1277472a9a0d2cda69097681f
SHA1866ea4add1a457cf67994533b1c9ee9a73dff049
SHA256af53d79e2314a2772fdbfcf8413e7a8876b91ea3a3e5ea7f8cf73c838e2698c2
SHA5120d3eb50b4d14d9f6b89e871b50d202b6b0801e0100999e29882dc96586506707abb531fcf40fc58b282ac16d73dedada3d7b3e219e79f6a861fc289f3ac86697
-
Filesize
5KB
MD52f88dc4c5d620be7eb8b9e049fd247c4
SHA1692bcd76725d10e130318925a52b83a8e6450507
SHA256e2a3afe6d44546683949a322eda285a23a8756a36c8248a03e67aa3577f74f5b
SHA512160501370bbbc5ccd564518e7be4aac84fe48decc26acc82436593812f465ff048e3f7ded1c94205371f5020aadd2d20b4d65faa25cd40a580bae18f9fe771b2
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD59b655c7cbd532f1ccb91b00b63892c60
SHA15b1d2a6ee4f898f1ab9dc7e9e73e2a6dc2f70650
SHA25631b5b23c5b776b55928baceb68d2721c7a5993b69484d7c3ff12d65b501caac1
SHA512bef26a4bd83483f101c8f12b4e7524a905b081e539cfb438b24e0a99ff827c7fd5b5ec59d3bced78dad6732a3f838d671af46a99ab67b21bd4716ef818286b87
-
C:\Users\Admin\AppData\Local\Temp\HD_2024-12-05_7e6bbbe6f0d2afbcdab740efe8b1db6f_hijackloader_icedid.exe
Filesize1.7MB
MD5e5c1d18c7c6e90423f929b4af17a0118
SHA1fe031fa04dfff23881fec211e5584bc771995598
SHA256a790cb5815f1220885ee4221f61659913626c4a5151df19f1ee7965f99d3c1c5
SHA512b78fcb50a4950d44bbece4ee53f57f69a9026e3d57b422578adc731671c860ee4b3411a3cdabce0c9a4af2ce43c188bd1dca0d79fdfab547b3ad812e4a37008f
-
Filesize
1.3MB
MD5f220d9369aebfed8404cfeadd8f3a818
SHA186c0095799f2937a9296d030c5b00475424779de
SHA256c4af430a63b0c6576f38440dca4f25286ac0fc16f017c86701f31d10449c8e88
SHA5123937316c9279274eeefbd8aef410d3cd72c784d9cf4981319bdd91eca8ff37dcf69e266b1b99bf5dfd0b7b0a2ba582d07eff1e21f753590ebf25a03ec960a13e
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD532e78a0ecdf775b7561330b210b4571a
SHA11c6b26621d7ec28710f0cdee765cc52c2c0342bd
SHA2561de4533487a01125b7529af30436dc67f27698d5d1d134729170b03cee283c77
SHA51287579109006faf3993d42cd4d4a6e90f831b301718d77b0e8b0e96b5d995f36a9c03dd82f58583d2e20b493ce7476948f134dde4be438df37650e8b642aa7b20
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641