Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 18:57
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe
Resource
win7-20240903-en
General
-
Target
2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe
-
Size
3.0MB
-
MD5
7091ef9191eae2ef9fba1acd659f916d
-
SHA1
3d2cd6a23c64fb57b07e517d00854bbde43bf0ea
-
SHA256
7f68f7239f7f8ea8d9be6de86e869a508096d6da0c2e02f57520f0959018930c
-
SHA512
faac00de734b6d85150570c648e29057b3e80811e3415732b7d65c039109a6bb5cb0b68bb345ae32f6f510ae2d283094879b9a10a5c99eaba456bf318c4c3437
-
SSDEEP
49152:oQZAdVyVT9n/Gg0P+WhognG/wNCYnTC+vOuCsJwJ2k+s9pk+mcnG/wVUNQ3u:BGdVyVT9nOgmhvnG/wNbTC+vipJ2bsQr
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3540-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3540-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3540-6-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4492-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4492-16-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4492-17-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4492-21-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3832-41-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3832-40-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3832-43-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3832-48-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 12 IoCs
resource yara_rule behavioral2/memory/3540-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3540-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3540-6-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4492-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4492-16-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4492-17-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4492-21-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023c84-31.dat family_gh0strat behavioral2/memory/3832-41-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3832-40-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3832-43-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3832-48-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240619796.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation HD_msedge.exe -
Executes dropped EXE 24 IoCs
pid Process 3540 svchost.exe 4492 TXPlatforn.exe 3832 TXPlatforn.exe 4372 svchos.exe 2008 HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 2456 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe 1556 msedge.exe 940 svchost.exe 4508 TXPlatforn.exe 1328 svchos.exe 4852 TXPlatforn.exe 1340 HD_msedge.exe 2328 HD_msedge.exe 3184 HD_msedge.exe 1264 HD_msedge.exe 2732 HD_msedge.exe 3544 HD_msedge.exe 3084 HD_msedge.exe 4416 HD_msedge.exe 3012 HD_msedge.exe 1204 HD_msedge.exe 3056 HD_msedge.exe 232 HD_msedge.exe 3860 HD_msedge.exe -
Loads dropped DLL 3 IoCs
pid Process 4372 svchos.exe 4976 svchost.exe 2456 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HD_msedge.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer HD_msedge.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName HD_msedge.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File created C:\Windows\SysWOW64\240619796.txt svchos.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe -
resource yara_rule behavioral2/memory/3540-4-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3540-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3540-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3540-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4492-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4492-13-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4492-16-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4492-17-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4492-21-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3832-38-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3832-41-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3832-40-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3832-43-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3832-48-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TXPlatforn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msedge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TXPlatforn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2168 PING.EXE 3056 cmd.exe 2640 PING.EXE 3864 cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName HD_msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS HD_msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer HD_msedge.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2168 PING.EXE 2640 PING.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1168 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 1168 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 1556 msedge.exe 1556 msedge.exe 1264 HD_msedge.exe 1264 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 4956 identity_helper.exe 4956 identity_helper.exe 3860 HD_msedge.exe 3860 HD_msedge.exe 3860 HD_msedge.exe 3860 HD_msedge.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3832 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3540 svchost.exe Token: SeLoadDriverPrivilege 3832 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 940 svchost.exe Token: 33 3832 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 3832 TXPlatforn.exe Token: 33 3832 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 3832 TXPlatforn.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe 1340 HD_msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1168 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 1168 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 1556 msedge.exe 1556 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1168 wrote to memory of 3540 1168 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 83 PID 1168 wrote to memory of 3540 1168 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 83 PID 1168 wrote to memory of 3540 1168 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 83 PID 3540 wrote to memory of 3864 3540 svchost.exe 85 PID 3540 wrote to memory of 3864 3540 svchost.exe 85 PID 3540 wrote to memory of 3864 3540 svchost.exe 85 PID 4492 wrote to memory of 3832 4492 TXPlatforn.exe 86 PID 4492 wrote to memory of 3832 4492 TXPlatforn.exe 86 PID 4492 wrote to memory of 3832 4492 TXPlatforn.exe 86 PID 1168 wrote to memory of 4372 1168 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 87 PID 1168 wrote to memory of 4372 1168 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 87 PID 1168 wrote to memory of 4372 1168 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 87 PID 1168 wrote to memory of 2008 1168 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 91 PID 1168 wrote to memory of 2008 1168 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 91 PID 1168 wrote to memory of 2008 1168 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 91 PID 3864 wrote to memory of 2168 3864 cmd.exe 92 PID 3864 wrote to memory of 2168 3864 cmd.exe 92 PID 3864 wrote to memory of 2168 3864 cmd.exe 92 PID 4976 wrote to memory of 2456 4976 svchost.exe 93 PID 4976 wrote to memory of 2456 4976 svchost.exe 93 PID 4976 wrote to memory of 2456 4976 svchost.exe 93 PID 2008 wrote to memory of 1556 2008 HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 95 PID 2008 wrote to memory of 1556 2008 HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 95 PID 2008 wrote to memory of 1556 2008 HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 95 PID 1556 wrote to memory of 940 1556 msedge.exe 98 PID 1556 wrote to memory of 940 1556 msedge.exe 98 PID 1556 wrote to memory of 940 1556 msedge.exe 98 PID 940 wrote to memory of 3056 940 svchost.exe 100 PID 940 wrote to memory of 3056 940 svchost.exe 100 PID 940 wrote to memory of 3056 940 svchost.exe 100 PID 4508 wrote to memory of 4852 4508 TXPlatforn.exe 103 PID 4508 wrote to memory of 4852 4508 TXPlatforn.exe 103 PID 4508 wrote to memory of 4852 4508 TXPlatforn.exe 103 PID 1556 wrote to memory of 1328 1556 msedge.exe 102 PID 1556 wrote to memory of 1328 1556 msedge.exe 102 PID 1556 wrote to memory of 1328 1556 msedge.exe 102 PID 1556 wrote to memory of 1340 1556 msedge.exe 104 PID 1556 wrote to memory of 1340 1556 msedge.exe 104 PID 1340 wrote to memory of 2328 1340 HD_msedge.exe 105 PID 1340 wrote to memory of 2328 1340 HD_msedge.exe 105 PID 3056 wrote to memory of 2640 3056 cmd.exe 106 PID 3056 wrote to memory of 2640 3056 cmd.exe 106 PID 3056 wrote to memory of 2640 3056 cmd.exe 106 PID 1340 wrote to memory of 3184 1340 HD_msedge.exe 109 PID 1340 wrote to memory of 3184 1340 HD_msedge.exe 109 PID 1340 wrote to memory of 3184 1340 HD_msedge.exe 109 PID 1340 wrote to memory of 3184 1340 HD_msedge.exe 109 PID 1340 wrote to memory of 3184 1340 HD_msedge.exe 109 PID 1340 wrote to memory of 3184 1340 HD_msedge.exe 109 PID 1340 wrote to memory of 3184 1340 HD_msedge.exe 109 PID 1340 wrote to memory of 3184 1340 HD_msedge.exe 109 PID 1340 wrote to memory of 3184 1340 HD_msedge.exe 109 PID 1340 wrote to memory of 3184 1340 HD_msedge.exe 109 PID 1340 wrote to memory of 3184 1340 HD_msedge.exe 109 PID 1340 wrote to memory of 3184 1340 HD_msedge.exe 109 PID 1340 wrote to memory of 3184 1340 HD_msedge.exe 109 PID 1340 wrote to memory of 3184 1340 HD_msedge.exe 109 PID 1340 wrote to memory of 3184 1340 HD_msedge.exe 109 PID 1340 wrote to memory of 3184 1340 HD_msedge.exe 109 PID 1340 wrote to memory of 3184 1340 HD_msedge.exe 109 PID 1340 wrote to memory of 3184 1340 HD_msedge.exe 109 PID 1340 wrote to memory of 3184 1340 HD_msedge.exe 109 PID 1340 wrote to memory of 3184 1340 HD_msedge.exe 109 PID 1340 wrote to memory of 3184 1340 HD_msedge.exe 109 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection HD_msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2168
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4372
-
-
C:\Users\Admin\AppData\Local\Temp\HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exeC:\Users\Admin\AppData\Local\Temp\HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://uu.163.com/3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2640
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1340 -
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff550446f8,0x7fff55044708,0x7fff550447185⤵
- Executes dropped EXE
PID:2328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2056,134734696324134576,8186676842007694372,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:25⤵
- Executes dropped EXE
PID:3184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,134734696324134576,8186676842007694372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,134734696324134576,8186676842007694372,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:85⤵
- Executes dropped EXE
PID:2732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,134734696324134576,8186676842007694372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,134734696324134576,8186676842007694372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,134734696324134576,8186676842007694372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:4416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,134734696324134576,8186676842007694372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,134734696324134576,8186676842007694372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:85⤵PID:4852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,134734696324134576,8186676842007694372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:4956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,134734696324134576,8186676842007694372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:1204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,134734696324134576,8186676842007694372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,134734696324134576,8186676842007694372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2056,134734696324134576,8186676842007694372,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3080 /prefetch:25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3860
-
-
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3832
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:4124
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240619796.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2456
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Executes dropped EXE
PID:4852
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4492
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:220
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5ad8536c7440638d40156e883ac25086e
SHA1fa9e8b7fb10473a01b8925c4c5b0888924a1147c
SHA25673d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a
SHA512b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe
-
Filesize
4.5MB
MD5697617425733ed9a6a15042d32d6da12
SHA1746ff10a1a8cba31f6ce2952a3210ee5ff5b4609
SHA256cc8d88024ea3937f400515aabdf4720d7bcb05cd294efbb8993bc8e4c1d193f6
SHA512a62e453b1b789cde4e5de70f29e384bd41ef5a86d9a5a67c7421eaff8c0a601ff0943cf7a97385a87759d7a5a25b358cd67c3cd29b3921b3996403a1897f0b8f
-
Filesize
152B
MD537f660dd4b6ddf23bc37f5c823d1c33a
SHA11c35538aa307a3e09d15519df6ace99674ae428b
SHA2564e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d
-
Filesize
152B
MD5d7cb450b1315c63b1d5d89d98ba22da5
SHA1694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA25638355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8
-
Filesize
5KB
MD5f3c7beab6d2150f56226a917dadf6c0d
SHA1c9df07b311a4eb5c948e85f168681d0fb2aed8e8
SHA2565a05a0053601539f8ab9decb6c21013d4a9acc06b19a892c5770d027a69709e6
SHA512e445f4d070ede31e5a30ee9f906f76ca83f07570cfcdc166957dcb67af41ed5d5404c339da69066640072a32a69a31f797bf28796bf9b867b19cad54e7a4b8c7
-
Filesize
6KB
MD536de86df1c5a0c1cf66f32b90e9276c5
SHA1d5ab3f1d87e0101050c2c002391914ff35eeddd9
SHA2560ce7fa0f3accac7ef2a698f875aff6d65af751dbf5fad922b28582f85ffc3957
SHA5120921742a20a4f56188f63647c21a2fbc8c901b440347e6eafec86938ab9172f2087d42ce481840f65e05ebd78222dac5963e397eb577059af0feafb3d7aaa437
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD50b03f9f422298c05380ce9edf26e8a3e
SHA1435487eba770c46b0dc1626aa210f826826e3c73
SHA256886bc584ea7f2ebf1cd067eefbb59f27fb881e0788175ab17aa572da9e9c0e9c
SHA5126b454b79c62f5c643f3c2bfd7b80090eec2417ed2e52a2dab371554d2bda16c08eec0a5640bbb62b5bc1e4293e9cf0b4561f440644c88a10d4a5691a43d62a1d
-
C:\Users\Admin\AppData\Local\Temp\HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe
Filesize1.7MB
MD541d1320b270d52fc54f88851b045fd4d
SHA1652b67083bcae6db3ce156a13e33657ce026a74f
SHA25698a3e9f2d4313e78bd7cab53070d2a26f292129edd53fa329394eb4e793c104a
SHA51203d5ecf5f3de36001fbf9cae283c7db474124ead885c4c45837400f0bc3d86f903417f92b5e1094fedfefcbaf82ace12104c7b6d8bfe9fd2527854f2808e9354
-
Filesize
1.3MB
MD5f220d9369aebfed8404cfeadd8f3a818
SHA186c0095799f2937a9296d030c5b00475424779de
SHA256c4af430a63b0c6576f38440dca4f25286ac0fc16f017c86701f31d10449c8e88
SHA5123937316c9279274eeefbd8aef410d3cd72c784d9cf4981319bdd91eca8ff37dcf69e266b1b99bf5dfd0b7b0a2ba582d07eff1e21f753590ebf25a03ec960a13e
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD537f1eb2cbd003c630a674dede101ed67
SHA10049fb921165e364f7cdc48d259a01d40b841bb7
SHA256f2f24b2d9968846af7af62be304c9920b9e9858bda490522f548aada96e55dad
SHA512dca6ac7c5469499772c9a7e2aa2518cce44cff7530ce5afa4f934a75a498dedec316889d5111befc6381f6492ec77205a1d9be96019f1b7ab3e571776cbf82dd
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641