Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 18:51
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe
Resource
win7-20240729-en
General
-
Target
2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe
-
Size
3.0MB
-
MD5
7091ef9191eae2ef9fba1acd659f916d
-
SHA1
3d2cd6a23c64fb57b07e517d00854bbde43bf0ea
-
SHA256
7f68f7239f7f8ea8d9be6de86e869a508096d6da0c2e02f57520f0959018930c
-
SHA512
faac00de734b6d85150570c648e29057b3e80811e3415732b7d65c039109a6bb5cb0b68bb345ae32f6f510ae2d283094879b9a10a5c99eaba456bf318c4c3437
-
SSDEEP
49152:oQZAdVyVT9n/Gg0P+WhognG/wNCYnTC+vOuCsJwJ2k+s9pk+mcnG/wVUNQ3u:BGdVyVT9nOgmhvnG/wNbTC+vipJ2bsQr
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2500-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2500-12-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2712-18-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2712-27-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2500-23-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2828-37-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2828-33-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2828-41-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 9 IoCs
resource yara_rule behavioral1/memory/2500-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2500-12-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2712-18-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2712-27-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2500-23-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/files/0x00070000000193b3-39.dat family_gh0strat behavioral1/memory/2828-37-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2828-33-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2828-41-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259537006.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
A potential corporate email address has been identified in the URL: icon-macOS@2x_ebb427cc.png
-
A potential corporate email address has been identified in the URL: icon_hover_macOS@2x_bf56032.png
-
A potential corporate email address has been identified in the URL: icon_hover_windows@2x_1ab1eec.png
-
A potential corporate email address has been identified in the URL: icon_normal_Android@2x_fd21f9a9.png
-
A potential corporate email address has been identified in the URL: icon_normal_Apple@2x_ec4d2a17.png
-
A potential corporate email address has been identified in the URL: icon_normal_DECK@2x_8559407c.png
-
A potential corporate email address has been identified in the URL: icon_normal_Pico@2x_e278ad60.png
-
A potential corporate email address has been identified in the URL: icon_normal_Playstation@2x_e5ad2adf.png
-
A potential corporate email address has been identified in the URL: icon_normal_Quest@2x_fa9f1659.png
-
A potential corporate email address has been identified in the URL: icon_normal_Switch@2x_d6d51ce7.png
-
A potential corporate email address has been identified in the URL: icon_normal_Xbox@2x_d6501e3f.png
-
A potential corporate email address has been identified in the URL: icon_normal_macOS@2x_23018f4c.png
-
A potential corporate email address has been identified in the URL: icon_normal_next@2x_8f139c4f.png
-
A potential corporate email address has been identified in the URL: icon_normal_windows@2x_27887efc.png
-
A potential corporate email address has been identified in the URL: icon_support_console@2x_ddad8f37.png
-
A potential corporate email address has been identified in the URL: icon_support_mobile@2x_f10457d6.png
-
Executes dropped EXE 6 IoCs
pid Process 2500 svchost.exe 2712 TXPlatforn.exe 2836 svchos.exe 2828 TXPlatforn.exe 2696 HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 2720 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Loads dropped DLL 8 IoCs
pid Process 1456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 1456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 2712 TXPlatforn.exe 2836 svchos.exe 2920 svchost.exe 1456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 2920 svchost.exe 2720 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File created C:\Windows\SysWOW64\259537006.txt svchos.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe -
resource yara_rule behavioral1/memory/2500-5-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2500-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2500-12-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2712-18-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2712-27-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2500-23-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2828-37-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2828-33-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2828-41-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TXPlatforn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2768 cmd.exe 2960 PING.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\uu.163.com\ = "77" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\163.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\uu.163.com\ = "29" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\163.com\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\uu.163.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\163.com\Total = "47" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\163.com\Total = "29" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "47" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439845777" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7B49DEC1-B595-11EF-9B6B-D681211CE335} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "29" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\uu.163.com\ = "47" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "77" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\163.com\Total = "77" IEXPLORE.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2960 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2828 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2500 svchost.exe Token: SeLoadDriverPrivilege 2828 TXPlatforn.exe Token: 33 2828 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2828 TXPlatforn.exe Token: 33 2828 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2828 TXPlatforn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 476 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 1456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 476 iexplore.exe 476 iexplore.exe 2896 IEXPLORE.EXE 2896 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1456 wrote to memory of 2500 1456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 29 PID 1456 wrote to memory of 2500 1456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 29 PID 1456 wrote to memory of 2500 1456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 29 PID 1456 wrote to memory of 2500 1456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 29 PID 1456 wrote to memory of 2500 1456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 29 PID 1456 wrote to memory of 2500 1456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 29 PID 1456 wrote to memory of 2500 1456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 29 PID 2500 wrote to memory of 2768 2500 svchost.exe 31 PID 2500 wrote to memory of 2768 2500 svchost.exe 31 PID 2500 wrote to memory of 2768 2500 svchost.exe 31 PID 2500 wrote to memory of 2768 2500 svchost.exe 31 PID 1456 wrote to memory of 2836 1456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 33 PID 1456 wrote to memory of 2836 1456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 33 PID 1456 wrote to memory of 2836 1456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 33 PID 1456 wrote to memory of 2836 1456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 33 PID 2712 wrote to memory of 2828 2712 TXPlatforn.exe 32 PID 2712 wrote to memory of 2828 2712 TXPlatforn.exe 32 PID 2712 wrote to memory of 2828 2712 TXPlatforn.exe 32 PID 2712 wrote to memory of 2828 2712 TXPlatforn.exe 32 PID 2712 wrote to memory of 2828 2712 TXPlatforn.exe 32 PID 2712 wrote to memory of 2828 2712 TXPlatforn.exe 32 PID 2712 wrote to memory of 2828 2712 TXPlatforn.exe 32 PID 2768 wrote to memory of 2960 2768 cmd.exe 35 PID 2768 wrote to memory of 2960 2768 cmd.exe 35 PID 2768 wrote to memory of 2960 2768 cmd.exe 35 PID 2768 wrote to memory of 2960 2768 cmd.exe 35 PID 1456 wrote to memory of 2696 1456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 38 PID 1456 wrote to memory of 2696 1456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 38 PID 1456 wrote to memory of 2696 1456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 38 PID 1456 wrote to memory of 2696 1456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 38 PID 2920 wrote to memory of 2720 2920 svchost.exe 39 PID 2920 wrote to memory of 2720 2920 svchost.exe 39 PID 2920 wrote to memory of 2720 2920 svchost.exe 39 PID 2920 wrote to memory of 2720 2920 svchost.exe 39 PID 2696 wrote to memory of 476 2696 HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 40 PID 2696 wrote to memory of 476 2696 HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 40 PID 2696 wrote to memory of 476 2696 HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 40 PID 2696 wrote to memory of 476 2696 HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 40 PID 476 wrote to memory of 2896 476 iexplore.exe 41 PID 476 wrote to memory of 2896 476 iexplore.exe 41 PID 476 wrote to memory of 2896 476 iexplore.exe 41 PID 476 wrote to memory of 2896 476 iexplore.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2960
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2836
-
-
C:\Users\Admin\AppData\Local\Temp\HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exeC:\Users\Admin\AppData\Local\Temp\HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://uu.163.com/3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:476 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:476 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2896
-
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:2672
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259537006.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2720
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_F7F9B7BDCC367A8E3539D28F7D4D4BA2
Filesize471B
MD58991e31238413ee7567c908f32884884
SHA11d4165114be6af809dd9ab3fa4ebfd3ea32b8db7
SHA2563a3cb667168ae26a846b05e12f5f8ec3fcb12bc20f087d880445611a26a01dab
SHA51266fa1db9e6b658ad22a84382c162ed133c99a3d575cc0433874a480339321d49f2f3373e37fbd7611e0152a143e91f0fa79da002f1fec85f7de93cd72673954f
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD54982a9fae61edfd86d072e9c1ef6acbe
SHA19b6e89949513de35111a5a697c4e9b244261dfe1
SHA256c0406a968ba4e5e4f120c62ec61b8dff6b9ff14055bae30d777f122623de273e
SHA512cec6e02dfa1abb5a5989b711e45611f5cf055942c225416f50805230db1510ffe51128b05330249d5b84c895dc347eaab5e6b0bbf34560b35755d3ee333e30f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e8169380ba44d3931637250c1cbdd804
SHA123ecacdff1910d3129be3155b430cc63fa632cbf
SHA256d5f2c0d9f29862966b9de38f5cc21221abd83d8c2e422343718a3ab05fee9aa0
SHA512f671a3d5a8d9d3a0315f6a422fcddd88123b1e59fe55a3b7a42e9a52687f11c5e002f90501d2fb70edb23ec05931a8854c24aa2cb3b0c08e6fb5a11cfa000842
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d07471f83426cdebb547e02ebbb4ec02
SHA1ca5320011ea60f58feee6a026f2a9430b8cc2aa9
SHA2566019a2cc5126532bfd2201c2ac12caa75a9b67d86f10ebae4bc0fbde4e3c22b6
SHA5120b4a147cb62e83241f2065e0ad13528c6b3675d34a111c25223c5d4b7bb531e23d2b571fc57d52a6871e9c7769660c0223cb5bc669fb8ee4878eb17af58b469e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a8612411253b1f30be529d8816603e88
SHA140e8e6b0da0c8fdc7ab081c97c488c08d67065db
SHA25697c2a22a2b3f1012ba0ab9ba849c537e92dd5523b21032d28ea62d06396b330a
SHA51289b5e23adb735075de1323e84e3328dc884c5acf441fe4634e17c70970815197f723a4f4022cc0236c8460d54756d1d67a513aebb1f17c390d75adb1945c0262
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fd451394f22b4fd45575025a1a0c6789
SHA1b2c6943cdc2b6d0a331950a468329093e0cec256
SHA256fe77e24303d7c23b8289dc2f3320beb0ca6063cd773d1186ebd1b8c8356215d4
SHA5120227e98edef7dc207db76bad12c7b8db20be7bef72847972b7ae6b4aba7e981c9a74d78e28cc9a254bb75943a04cf6476ec76aeb2a2865b7a57a7e4ed3eeccdd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59724e47bedaeeca167be353379b06ab7
SHA156e4f7039c44a46347f26476d3dc7e478338892d
SHA256eeda36f5b68dcf8b5b4288965d3fe94e34bc0f71525a18240dc0fd7bdc18b24b
SHA5123704d9b2a15c532dfa4cd9a018195a94abb7a5fdbb0bbb6f5ff8eea7e2406d4027d22c57089af389ebc5c57a7a1b8983ba9cf88fe28cddf63bda38ddb55632d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f8d5fa4618d1bf9a93eefb7fae9a4086
SHA10ab286aa5f0aa7fca37f8b44c532c4a45a29d8e2
SHA25670d6b40b43b90823142e54cc5fe1721a6e91ff7b72ea5e653b48ed7555e43f5b
SHA512b69ca9a174591d82cd0e9dede2073209f3c3ba7d712ac14c746b782fbf4b0bb5a1c2c73dde9ca90554051b2fd0397fa48ddbb2b3eeeff84976a328046e7cc0d4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5273f90e07ccd7553df76204e00c92b2d
SHA1ad7751d461254c4b0adb9a300ae9703a75d7478f
SHA256b4c3169becb20095dcffd837f89ecad3b468b4c34df97aff72e42f997c0cdda3
SHA51259352abf4c8caf9b6d4d4a103919360a029ed72cb5ab2873013e23fed8e9e902016b1be6bf86da4194567949f58ef585e955e05428802c4fcdaadd41c3e54b8c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5affec39c10e17401e891bb27b6800e27
SHA1dd19712b665e766af1a00d4f2f8c6252dbd2e4c6
SHA2568b7fabb0cc40e6f69a9548439f1dcb2183e9b817ccb16a69522608e75bcc66d8
SHA512c45426a3b8b4556f27c23e48401662b316f0917cc71c26b36fb2af8b2064d10446cb5b53d74a4a9751d5ccf944bae5425b1f6e0942862a9ed1558179e7978345
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51d1ee3a3e97d82a3d293ac2085bbe277
SHA12d4244e1299e48ef6e78c8f4538000c577b7e0ff
SHA2569a7d87af1b01797c7bb3cae59c2ebe3f0eabd49aa6f12c0245af5a2875282465
SHA512b28e78d46f7f332f01a4239c189c498f935367da8187e166657f4a5214395181ef7839256b2a68f5b7a0999225b319a2dedb2c1e5280864984d15d6220031557
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e277ce427002bf257b09627947772921
SHA14893c94a86278973a00a95d6d1666cd03d59b070
SHA2567d5db56252314cb3cd49b83da2f616fd0d5a47d864c10239c2fa2a7e61a4eb08
SHA51270a4a64282faa473933e00c5989ceb079d673e77e9805312d39a8ee9cc2e64a5cf05c6316c23f3b356a2293ba5790e1cb9ab75d55b3ad25ecaea65f7bf83b294
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5b2818018014e4cb0cf107b80662f3694
SHA1831493e6ff7419a311d70372c01a8bb1008b7926
SHA25627b7d59e8359bbc20167fdcda2faecc75a5f267c8d65d8cd7b46edbd64b6fe83
SHA512d5973059381d6bbf22b2e5d2aa44afb9b91397c6e94fedc89b5bf25e73763da918ef88c85a7fb9f04f93fca680e2cd546d6f9bc7676c6334f64121e2a69ed426
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5144e4e5239e3859eb4fdeb96eb603513
SHA1101934eb8a0a5dc0c1f608d67718bf772615f254
SHA256ef3a8275e5027490c89eb23f675d5ae5d1757e4092bda97e4c225930ee5c18fa
SHA51276b974efb6bacd96ab59b788312ac3d6dfaf4366ffb04023cb35edf2db2add3a06e71d0433b055b3667025f8331fbe113db64bad7d8bd931c982ae6d3fa79009
-
Filesize
273B
MD5359ac55b632899825d1671ba6996bdfb
SHA18f53a6e1eff23176fde05e345d48eea50be248bb
SHA25612457697ea7437f0131f36e7f7ff4ce54cc2ca350530e4a79652bdc6cdc6a252
SHA512995c064cac6b064f5265fcc76da93fd703101bf4efc372ece859e051273bf8ec8f0aab9956bfd0e129f80d4e94f5be6af7f2f4287feba049a49a8469fb2b6dc0
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
1.3MB
MD5f220d9369aebfed8404cfeadd8f3a818
SHA186c0095799f2937a9296d030c5b00475424779de
SHA256c4af430a63b0c6576f38440dca4f25286ac0fc16f017c86701f31d10449c8e88
SHA5123937316c9279274eeefbd8aef410d3cd72c784d9cf4981319bdd91eca8ff37dcf69e266b1b99bf5dfd0b7b0a2ba582d07eff1e21f753590ebf25a03ec960a13e
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
\Users\Admin\AppData\Local\Temp\HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe
Filesize1.7MB
MD541d1320b270d52fc54f88851b045fd4d
SHA1652b67083bcae6db3ce156a13e33657ce026a74f
SHA25698a3e9f2d4313e78bd7cab53070d2a26f292129edd53fa329394eb4e793c104a
SHA51203d5ecf5f3de36001fbf9cae283c7db474124ead885c4c45837400f0bc3d86f903417f92b5e1094fedfefcbaf82ace12104c7b6d8bfe9fd2527854f2808e9354
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD580b032f655811be3b47aa4c3015b5ef7
SHA141ad6ea4432a15354d3a2bf7777139cbac813415
SHA25692867cfefc47ff44e2b9165e5548510a7e4f245f2c34fb7bcb6b9eb012157b44
SHA51283b43bc584aacb6e7a6d4fdae3f0c47cb6ca1711804ccd60b963d53a0c63fcae27cb568f7eb9f2a866cee54a9bed63435b7a6a75e79e743e382ae6e4dbc331d5
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d