Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 18:57
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe
Resource
win7-20240903-en
General
-
Target
2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe
-
Size
3.0MB
-
MD5
7091ef9191eae2ef9fba1acd659f916d
-
SHA1
3d2cd6a23c64fb57b07e517d00854bbde43bf0ea
-
SHA256
7f68f7239f7f8ea8d9be6de86e869a508096d6da0c2e02f57520f0959018930c
-
SHA512
faac00de734b6d85150570c648e29057b3e80811e3415732b7d65c039109a6bb5cb0b68bb345ae32f6f510ae2d283094879b9a10a5c99eaba456bf318c4c3437
-
SSDEEP
49152:oQZAdVyVT9n/Gg0P+WhognG/wNCYnTC+vOuCsJwJ2k+s9pk+mcnG/wVUNQ3u:BGdVyVT9nOgmhvnG/wNbTC+vipJ2bsQr
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1660-8-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1660-9-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1660-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1836-27-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/864-30-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/864-31-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1660-25-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/864-32-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/864-38-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/864-40-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 11 IoCs
resource yara_rule behavioral1/memory/1660-8-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1660-9-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1660-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1836-27-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/864-30-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/864-31-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1660-25-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/864-32-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/files/0x000700000001922c-34.dat family_gh0strat behavioral1/memory/864-38-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/864-40-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259436464.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
A potential corporate email address has been identified in the URL: icon-macOS@2x_ebb427cc.png
-
A potential corporate email address has been identified in the URL: icon_hover_macOS@2x_bf56032.png
-
A potential corporate email address has been identified in the URL: icon_hover_windows@2x_1ab1eec.png
-
A potential corporate email address has been identified in the URL: icon_normal_Android@2x_fd21f9a9.png
-
A potential corporate email address has been identified in the URL: icon_normal_Apple@2x_ec4d2a17.png
-
A potential corporate email address has been identified in the URL: icon_normal_DECK@2x_8559407c.png
-
A potential corporate email address has been identified in the URL: icon_normal_Pico@2x_e278ad60.png
-
A potential corporate email address has been identified in the URL: icon_normal_Playstation@2x_e5ad2adf.png
-
A potential corporate email address has been identified in the URL: icon_normal_Quest@2x_fa9f1659.png
-
A potential corporate email address has been identified in the URL: icon_normal_Switch@2x_d6d51ce7.png
-
A potential corporate email address has been identified in the URL: icon_normal_Xbox@2x_d6501e3f.png
-
A potential corporate email address has been identified in the URL: icon_normal_macOS@2x_23018f4c.png
-
A potential corporate email address has been identified in the URL: icon_normal_next@2x_8f139c4f.png
-
A potential corporate email address has been identified in the URL: icon_normal_windows@2x_27887efc.png
-
A potential corporate email address has been identified in the URL: icon_support_console@2x_ddad8f37.png
-
A potential corporate email address has been identified in the URL: icon_support_mobile@2x_f10457d6.png
-
Executes dropped EXE 6 IoCs
pid Process 1660 svchost.exe 1836 TXPlatforn.exe 864 TXPlatforn.exe 2792 svchos.exe 2924 HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 860 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Loads dropped DLL 8 IoCs
pid Process 2336 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 1836 TXPlatforn.exe 2336 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 2792 svchos.exe 2740 svchost.exe 2336 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 2740 svchost.exe 860 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File created C:\Windows\SysWOW64\259436464.txt svchos.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe -
resource yara_rule behavioral1/memory/1660-5-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1660-8-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1660-9-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1660-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1836-27-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/864-30-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/864-31-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/864-28-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1660-25-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/864-32-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/864-38-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/864-40-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TXPlatforn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2064 cmd.exe 2656 PING.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\163.com\Total = "29" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "47" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\uu.163.com\ = "47" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "29" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\uu.163.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\163.com\Total = "47" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\uu.163.com\ = "29" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\uu.163.com\ = "77" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439846123" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{498E5811-B596-11EF-9CB9-62CAC36041A9} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\163.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "77" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\163.com\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\163.com\Total = "77" IEXPLORE.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2656 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2336 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 864 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1660 svchost.exe Token: SeLoadDriverPrivilege 864 TXPlatforn.exe Token: 33 864 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 864 TXPlatforn.exe Token: 33 864 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 864 TXPlatforn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2420 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2336 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 2336 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 2420 iexplore.exe 2420 iexplore.exe 1432 IEXPLORE.EXE 1432 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2336 wrote to memory of 1660 2336 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 30 PID 2336 wrote to memory of 1660 2336 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 30 PID 2336 wrote to memory of 1660 2336 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 30 PID 2336 wrote to memory of 1660 2336 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 30 PID 2336 wrote to memory of 1660 2336 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 30 PID 2336 wrote to memory of 1660 2336 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 30 PID 2336 wrote to memory of 1660 2336 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 30 PID 1836 wrote to memory of 864 1836 TXPlatforn.exe 33 PID 1836 wrote to memory of 864 1836 TXPlatforn.exe 33 PID 1836 wrote to memory of 864 1836 TXPlatforn.exe 33 PID 1836 wrote to memory of 864 1836 TXPlatforn.exe 33 PID 1836 wrote to memory of 864 1836 TXPlatforn.exe 33 PID 1836 wrote to memory of 864 1836 TXPlatforn.exe 33 PID 1836 wrote to memory of 864 1836 TXPlatforn.exe 33 PID 1660 wrote to memory of 2064 1660 svchost.exe 32 PID 1660 wrote to memory of 2064 1660 svchost.exe 32 PID 1660 wrote to memory of 2064 1660 svchost.exe 32 PID 1660 wrote to memory of 2064 1660 svchost.exe 32 PID 2336 wrote to memory of 2792 2336 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 34 PID 2336 wrote to memory of 2792 2336 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 34 PID 2336 wrote to memory of 2792 2336 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 34 PID 2336 wrote to memory of 2792 2336 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 34 PID 2064 wrote to memory of 2656 2064 cmd.exe 36 PID 2064 wrote to memory of 2656 2064 cmd.exe 36 PID 2064 wrote to memory of 2656 2064 cmd.exe 36 PID 2064 wrote to memory of 2656 2064 cmd.exe 36 PID 2336 wrote to memory of 2924 2336 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 39 PID 2336 wrote to memory of 2924 2336 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 39 PID 2336 wrote to memory of 2924 2336 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 39 PID 2336 wrote to memory of 2924 2336 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 39 PID 2740 wrote to memory of 860 2740 svchost.exe 40 PID 2740 wrote to memory of 860 2740 svchost.exe 40 PID 2740 wrote to memory of 860 2740 svchost.exe 40 PID 2740 wrote to memory of 860 2740 svchost.exe 40 PID 2924 wrote to memory of 2420 2924 HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 42 PID 2924 wrote to memory of 2420 2924 HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 42 PID 2924 wrote to memory of 2420 2924 HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 42 PID 2924 wrote to memory of 2420 2924 HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 42 PID 2420 wrote to memory of 1432 2420 iexplore.exe 43 PID 2420 wrote to memory of 1432 2420 iexplore.exe 43 PID 2420 wrote to memory of 1432 2420 iexplore.exe 43 PID 2420 wrote to memory of 1432 2420 iexplore.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2656
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2792
-
-
C:\Users\Admin\AppData\Local\Temp\HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exeC:\Users\Admin\AppData\Local\Temp\HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://uu.163.com/3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1432
-
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:864
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:2856
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259436464.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:860
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_F7F9B7BDCC367A8E3539D28F7D4D4BA2
Filesize471B
MD58991e31238413ee7567c908f32884884
SHA11d4165114be6af809dd9ab3fa4ebfd3ea32b8db7
SHA2563a3cb667168ae26a846b05e12f5f8ec3fcb12bc20f087d880445611a26a01dab
SHA51266fa1db9e6b658ad22a84382c162ed133c99a3d575cc0433874a480339321d49f2f3373e37fbd7611e0152a143e91f0fa79da002f1fec85f7de93cd72673954f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7229E30BCFD0992128433D951137A421_E05AAD24A1760FF49820D23FF9F19F45
Filesize471B
MD5cb1c6cc7bd5a8af6076adc096e86d848
SHA1408c3b992a60be38d6f8e3c08fde4a97ace2a398
SHA2566d68aa319d7ddbdcbe51e52f412bf31e045bc4cf6157b25b29ae3a74651e31da
SHA51211e7193cf590a70aa5b08936c96d3c9f8e80beb0c0edd688a2b4feb32f90cf3e81a314bf48f2adbe792d2e294fd9982839f59e0db9a36d9c39403a2a1c4e5216
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD5f3f9883b854526a4a39a8817b9f83969
SHA155d8a71b63867dba192b97ef921f5f63af738bb6
SHA2564eb04c174abdefbd811bf57eabf4f15a2eceafdb5c2129bdf797106a91809f36
SHA5125e8c9e198a978a2150bb0b4569fdfd8a3d2f9eec459ed4e8e74810a6b46f3d4a2cf634a880dd51461a9098b128b7adf73a6ee7d1106308c50564ef4cf161218c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a2e414a1c4339da8d322e6a38dba0369
SHA17e41331667a5eb9afa8ba29bb5ff874332766cfd
SHA256c4c19daa03ae3466f54c854c94760e71b5974792e24642694251b0ad2ba8132f
SHA5127952c19c831717fa37b989ec8a96107b0b40e0284f0a1d43c08b7067868ac3d517e4c6f8781e058e677b32e8338781b05632f18ae55af11675f81d9a3f1e3913
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD553e63f26e9d815804f778bef201606fb
SHA134d9994a0ebc4cf7df926d7789ea18d672d5bfe5
SHA25630697b40e47d0d94ff18560ba8ccab4da2586d733531a49f39e6fd67bca5ba6b
SHA5129faf52fc46aa0691f19f687a25f9ea2aa94a9cfd80d21195407190d153d850dbf56db47660568adc7ca12dcddda3351a1ce316baf6820867faad9b3e021aaca3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5df9d4247529be21ed7d082c05207e32f
SHA13c4d9cf4351322b35f98c46fc40bc57c91b3c414
SHA256f6ce0a5f2c08199022ba753ba6636876f3033ba3b030eb8a3908fd6cd89943d9
SHA512c340d525423e79e6343f4ed5c97b8a7bb210214efcc44848934d004ab5c10ae158984ac2c640a1db4d84f707a1a9ff1c2d93f4baf295da81e60ecb125d246c07
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50fcd572cedf39f690b7192b4b345a119
SHA1d6e12e7bf197bf1a97eab81272015759af5088b5
SHA25677fe70969f7438fee08d0e35ade7d4fd871ca2557bcd26960f74ece693cc6525
SHA512de78faa06056e70178962a0f85709102addc4e048ecffd10dda0e0c7806de23354edc71d76899c5204b67e2a59692fdd362153cbd8081add825df34c572938f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD594df8a67096d7163f8ce51bbfd448f4d
SHA1ce182a05c94f2a3ced6f6ecfd0288425f5dce433
SHA256887310df049999ac821ee39b08614f2d74d78821be6d97fd9db01acf06608162
SHA512c9a8cde015e4536d576c7a5c4f7bced037b86e79eab7405a5c1d9bf000dda0f79d5785aedd639da9af6d14cdfb92cad6c5b9968fbe7b2a164ba88d1e7c8116c3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f43ec036c8b609ee34fa28f45c93a1c4
SHA15b5101ad978be788be8e9754c9334621cb2c6b9f
SHA256810c73e83bf95ad90ad09c580a7ba709ace5f5174200f126ed061daffc946a6e
SHA512c6ef2cc3a6c93e1b89a5a3a1ff044c0124b0d2beae5a032d19977939c7c5a21330d7e3d618e08f5dbe44f3fe923635b898cb9df46fca7bc1c4c0a3792f286305
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD524d96bc164b61a9469dbdc9031044b8e
SHA154d403e0c2b76ca3735125151ea2395d6e00851e
SHA256ded55732748942c3b765f969e7747a45bb0e7c83fc957893b9e8ca4b55390b34
SHA512747814765acaa7ec4c6f3015ba4936e578fdf320958ac52cdda2a4ad84006bff761b453dfce6923b876d384417579117ed10a9f543f1d41e15416c31380bbb9d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bcd73d0dbc77db4aca89264c62c53905
SHA102b0e12767ac334249962ea66c6f8171aa0a0ae8
SHA256e2cee3af11d2e05e881e83653aa7631ca21c573eb81234d6333f635fed803ebe
SHA51242dc0326788df67024bdbdaea81e1ae66271ec63649da694c341bbd393e17402d5efa8926281fb42c60da664be7e369567585983d7f7b1cdea8d0d24f009e1b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5498387477c1e3d533370e20359adbdf6
SHA1859c4fe2ed5083f99080f5d595904ec50e461b60
SHA256dd3c7bfc148a679316d244a4c709c52bf3ab8f648da031386014cc61b82ddf21
SHA5125d6f84e0066f793920eef2c2102713a92a0a7b3c472ace331b3ba58537d9b0c25c5b4c04a7b4093cacfac2ef97d38af09537aabea8d17ce0ab37bc3b02ca3bd6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5cbdbbaf80b0d856e1dd21bb4ab2cacc7
SHA1963ab2a4690aebaab94814b937bc5d38122c607b
SHA256199e126b5987bc99cb726a9ff40a686d9958f9836da635d933f86092219ae5ea
SHA5124dc3b13f97645186591e24b59183e011462c3cd471b3a60ae96a704e596608a4af1dee4ce2a09cf4c507c8c572fae6b1dc5da348cf72cc89372303c0967855f9
-
Filesize
270B
MD53fab524ce9dcf1aab6baf6459fa60d64
SHA1b424e9dea647c7b3f61fe7ee7912c8f2dda0db0a
SHA25665b4026469f4d72c5ea2f09ca06433cf999e6a10adaa7594558e66ccccf97101
SHA512532c06b971933203b3c04ba4a7557f82315ee4232f39b3462ff2fdde875f77d1c2fa557ae242394e5e2bcd7cb80f8e02c201238d6c0298cb63f4b84e345c775a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
1.3MB
MD5f220d9369aebfed8404cfeadd8f3a818
SHA186c0095799f2937a9296d030c5b00475424779de
SHA256c4af430a63b0c6576f38440dca4f25286ac0fc16f017c86701f31d10449c8e88
SHA5123937316c9279274eeefbd8aef410d3cd72c784d9cf4981319bdd91eca8ff37dcf69e266b1b99bf5dfd0b7b0a2ba582d07eff1e21f753590ebf25a03ec960a13e
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
\Users\Admin\AppData\Local\Temp\HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe
Filesize1.7MB
MD541d1320b270d52fc54f88851b045fd4d
SHA1652b67083bcae6db3ce156a13e33657ce026a74f
SHA25698a3e9f2d4313e78bd7cab53070d2a26f292129edd53fa329394eb4e793c104a
SHA51203d5ecf5f3de36001fbf9cae283c7db474124ead885c4c45837400f0bc3d86f903417f92b5e1094fedfefcbaf82ace12104c7b6d8bfe9fd2527854f2808e9354
-
Filesize
50KB
MD537f1eb2cbd003c630a674dede101ed67
SHA10049fb921165e364f7cdc48d259a01d40b841bb7
SHA256f2f24b2d9968846af7af62be304c9920b9e9858bda490522f548aada96e55dad
SHA512dca6ac7c5469499772c9a7e2aa2518cce44cff7530ce5afa4f934a75a498dedec316889d5111befc6381f6492ec77205a1d9be96019f1b7ab3e571776cbf82dd
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d