Analysis
-
max time kernel
44s -
max time network
42s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
08-12-2024 19:05
Static task
static1
General
-
Target
2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe
-
Size
3.0MB
-
MD5
7091ef9191eae2ef9fba1acd659f916d
-
SHA1
3d2cd6a23c64fb57b07e517d00854bbde43bf0ea
-
SHA256
7f68f7239f7f8ea8d9be6de86e869a508096d6da0c2e02f57520f0959018930c
-
SHA512
faac00de734b6d85150570c648e29057b3e80811e3415732b7d65c039109a6bb5cb0b68bb345ae32f6f510ae2d283094879b9a10a5c99eaba456bf318c4c3437
-
SSDEEP
49152:oQZAdVyVT9n/Gg0P+WhognG/wNCYnTC+vOuCsJwJ2k+s9pk+mcnG/wVUNQ3u:BGdVyVT9nOgmhvnG/wNbTC+vipJ2bsQr
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/3744-6-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/3744-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/3744-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/444-16-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/444-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/444-17-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/444-23-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2564-30-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2564-31-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2564-32-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2564-34-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2564-37-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 13 IoCs
resource yara_rule behavioral1/memory/3744-6-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/3744-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/3744-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/444-16-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/444-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/444-17-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/444-23-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/files/0x001d00000002aabf-27.dat family_gh0strat behavioral1/memory/2564-30-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2564-31-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2564-32-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2564-34-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2564-37-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Server Software Component: Terminal Services DLL 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240630000.txt" svchos.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240640734.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 23 IoCs
pid Process 3744 svchost.exe 444 TXPlatforn.exe 4504 svchos.exe 2564 TXPlatforn.exe 1404 HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 696 msedge.exe 4004 svchost.exe 3400 TXPlatforn.exe 4444 svchos.exe 3452 TXPlatforn.exe 3992 HD_msedge.exe 1928 HD_msedge.exe 3320 HD_msedge.exe 416 HD_msedge.exe 4424 HD_msedge.exe 1972 HD_msedge.exe 576 HD_msedge.exe 3100 HD_msedge.exe 4712 HD_msedge.exe 2440 HD_msedge.exe 1776 HD_msedge.exe 4408 HD_msedge.exe 4600 HD_msedge.exe -
Loads dropped DLL 2 IoCs
pid Process 4504 svchos.exe 4444 svchos.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HD_msedge.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName HD_msedge.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer HD_msedge.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File created C:\Windows\SysWOW64\240630000.txt svchos.exe File created C:\Windows\SysWOW64\240640734.txt svchos.exe -
resource yara_rule behavioral1/memory/3744-4-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/3744-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/3744-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/3744-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/444-16-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/444-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/444-17-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/444-13-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/444-23-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2564-30-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2564-31-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2564-32-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2564-34-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2564-37-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TXPlatforn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TXPlatforn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msedge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3300 cmd.exe 2760 PING.EXE 824 cmd.exe 2436 PING.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS HD_msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer HD_msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName HD_msedge.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2760 PING.EXE 2436 PING.EXE -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 4456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 4456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 696 msedge.exe 696 msedge.exe 3320 HD_msedge.exe 3320 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 4408 HD_msedge.exe 4408 HD_msedge.exe 3164 identity_helper.exe 3164 identity_helper.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2564 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3744 svchost.exe Token: SeLoadDriverPrivilege 2564 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 4004 svchost.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe 3992 HD_msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 4456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 696 msedge.exe 696 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4456 wrote to memory of 3744 4456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 77 PID 4456 wrote to memory of 3744 4456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 77 PID 4456 wrote to memory of 3744 4456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 77 PID 3744 wrote to memory of 3300 3744 svchost.exe 79 PID 3744 wrote to memory of 3300 3744 svchost.exe 79 PID 3744 wrote to memory of 3300 3744 svchost.exe 79 PID 4456 wrote to memory of 4504 4456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 80 PID 4456 wrote to memory of 4504 4456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 80 PID 4456 wrote to memory of 4504 4456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 80 PID 444 wrote to memory of 2564 444 TXPlatforn.exe 81 PID 444 wrote to memory of 2564 444 TXPlatforn.exe 81 PID 444 wrote to memory of 2564 444 TXPlatforn.exe 81 PID 3300 wrote to memory of 2760 3300 cmd.exe 85 PID 3300 wrote to memory of 2760 3300 cmd.exe 85 PID 3300 wrote to memory of 2760 3300 cmd.exe 85 PID 4456 wrote to memory of 1404 4456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 86 PID 4456 wrote to memory of 1404 4456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 86 PID 4456 wrote to memory of 1404 4456 2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 86 PID 1404 wrote to memory of 696 1404 HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 92 PID 1404 wrote to memory of 696 1404 HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 92 PID 1404 wrote to memory of 696 1404 HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe 92 PID 696 wrote to memory of 4004 696 msedge.exe 93 PID 696 wrote to memory of 4004 696 msedge.exe 93 PID 696 wrote to memory of 4004 696 msedge.exe 93 PID 4004 wrote to memory of 824 4004 svchost.exe 95 PID 4004 wrote to memory of 824 4004 svchost.exe 95 PID 4004 wrote to memory of 824 4004 svchost.exe 95 PID 696 wrote to memory of 4444 696 msedge.exe 96 PID 696 wrote to memory of 4444 696 msedge.exe 96 PID 696 wrote to memory of 4444 696 msedge.exe 96 PID 3400 wrote to memory of 3452 3400 TXPlatforn.exe 97 PID 3400 wrote to memory of 3452 3400 TXPlatforn.exe 97 PID 3400 wrote to memory of 3452 3400 TXPlatforn.exe 97 PID 696 wrote to memory of 3992 696 msedge.exe 99 PID 696 wrote to memory of 3992 696 msedge.exe 99 PID 3992 wrote to memory of 1928 3992 HD_msedge.exe 100 PID 3992 wrote to memory of 1928 3992 HD_msedge.exe 100 PID 824 wrote to memory of 2436 824 cmd.exe 101 PID 824 wrote to memory of 2436 824 cmd.exe 101 PID 824 wrote to memory of 2436 824 cmd.exe 101 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 PID 3992 wrote to memory of 416 3992 HD_msedge.exe 102 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection HD_msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2760
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4504
-
-
C:\Users\Admin\AppData\Local\Temp\HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exeC:\Users\Admin\AppData\Local\Temp\HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://uu.163.com/3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2436
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3992 -
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8eae13cb8,0x7ff8eae13cc8,0x7ff8eae13cd85⤵
- Executes dropped EXE
PID:1928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:25⤵
- Executes dropped EXE
PID:416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:85⤵
- Executes dropped EXE
PID:4424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:15⤵
- Executes dropped EXE
PID:1972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:15⤵
- Executes dropped EXE
PID:576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:15⤵
- Executes dropped EXE
PID:4712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:15⤵
- Executes dropped EXE
PID:3100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:15⤵
- Executes dropped EXE
PID:2440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:15⤵
- Executes dropped EXE
PID:1776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 /prefetch:85⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:15⤵
- Executes dropped EXE
PID:4600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,2348189737740247116,13808863374551284565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3892 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:3164
-
-
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:3832
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:4152
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3892
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Executes dropped EXE
PID:3452
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3980
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2844
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4180
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD57faa5ffa86c7629b995db9db9de5840e
SHA1a5b83fe6745288cb6fa18450b3f9ad918fe90970
SHA256ddda6f7397e8ebe11981b6ba137af2d99a72fe3ac1b14afee00737eca6738ed3
SHA5127aa8e32117951be916c8f829f1f7ebae999292edf45abd4dc8ffab5a21a87ffdc956246b1c2aa62ece63fc39ef9eb7ee0d51fc1a797d0f5051ce0b9216e2633c
-
Filesize
4.5MB
MD512567ad252eb17f4a94a15e151b6678c
SHA1738660587ac13547c539cc88808276724d696659
SHA256fc90a03b853b85641ddd7c8fccfaea566e4fe6df42e0da3e84f0130a0fffed08
SHA512d246283b73e54bd0f534c16d1bfa1b47c87f56d8796309bf7899213e0179350f953348be166636d9f656c0595c9969813a65f635098b4604526ebeee0bd619e5
-
Filesize
152B
MD5e11c77d0fa99af6b1b282a22dcb1cf4a
SHA12593a41a6a63143d837700d01aa27b1817d17a4d
SHA256d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0
SHA512c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3
-
Filesize
152B
MD5c0a1774f8079fe496e694f35dfdcf8bc
SHA1da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3
SHA256c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb
SHA51260d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b
-
Filesize
5KB
MD50bdcdb0d73a30a34d9741e4f8c15dd3d
SHA16a9cef88f7f8aa5e5df7f5c35da071effccf796d
SHA256976dbbdbaa8c40a3f14acf7ea6481576bf142d043a5fb021905bdd60c5f386aa
SHA5123d936fcbd1b3c64aaad655789b615f28cdf7e4780946072cc321a3a909db14445fae0127e9409141321115bb04e42b147d99abe571571646906919a94bb9b3cb
-
Filesize
5KB
MD5dd5ba867dac30dc811045d950e603614
SHA1e2a2db3286cf8054afaa632df135c6b2c72d9491
SHA256f0a6a06db147878996c0626b346e849ff3651cf873316c35777b0adaca227a1e
SHA512d258fdccbc3b5c97c5d3c84d669f796d180d0ed886f6b0c76a0766eb8d49f4928e1ad8f5cbba7bef6cf2e98265da4a64d86027d8e2bdead89b64a69cef310601
-
Filesize
5KB
MD5c93d493c22511ae7c2ac2730ae9d8feb
SHA1a982dbd10907d8dfabc23dfb90027ea52b37069c
SHA2560150dec13565bfcfb4a788aedd0bfd244d84352f8213af90f0870c8d5822e960
SHA512f3e9caf10809051f7cdfaf2d2e2c514535ee3e8aa81fe844334dfe539faf88cfbc85c6539dcfe59dea115aa9b0434f08ea5b6cafd7becb478b565f2601cb3dc6
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD571afb0d9617a768addf1fdb46214b333
SHA12510ba447fd0b8287da3a54635556fc072b99235
SHA25610d34a05d95dde6d4341f4d86d0d8be7da804478fe34b673b9d30c35b6e99227
SHA512cbe4a196fd2897c2ddf89db99355ef6bc2b243b96f7fcf979ba51316b445e808d290a5782361d9d85e1788ba6eb20c350a6f49264d12fa8e7091054857a32ecc
-
Filesize
10KB
MD523ce94e5ff680c6e1871834e6e711342
SHA17de561e8d548c32a647f5c96a3a835ed79f64ebc
SHA256835e928078344d953995d6ee20c1174980dd1b9b03e4bafd80950c179be72878
SHA512e26d9d5e89d5dcc4594ca47683004058a6d5ad50cc8a00c59a087d4b744bbcf99c720883e9d9fdf73262b757db16917456587890fe99aadf7a8e5fdde827d82a
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Temp\HD_2024-12-08_7091ef9191eae2ef9fba1acd659f916d_hijackloader_icedid.exe
Filesize1.7MB
MD541d1320b270d52fc54f88851b045fd4d
SHA1652b67083bcae6db3ce156a13e33657ce026a74f
SHA25698a3e9f2d4313e78bd7cab53070d2a26f292129edd53fa329394eb4e793c104a
SHA51203d5ecf5f3de36001fbf9cae283c7db474124ead885c4c45837400f0bc3d86f903417f92b5e1094fedfefcbaf82ace12104c7b6d8bfe9fd2527854f2808e9354
-
Filesize
1.3MB
MD5f220d9369aebfed8404cfeadd8f3a818
SHA186c0095799f2937a9296d030c5b00475424779de
SHA256c4af430a63b0c6576f38440dca4f25286ac0fc16f017c86701f31d10449c8e88
SHA5123937316c9279274eeefbd8aef410d3cd72c784d9cf4981319bdd91eca8ff37dcf69e266b1b99bf5dfd0b7b0a2ba582d07eff1e21f753590ebf25a03ec960a13e
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD527d8d2bfaaf31924097e4d9f65121f47
SHA1ba3b7ae931246c8631570936e4cb302b564658a7
SHA256a3c1f22ee797ef5010963e28820fb9fbde98ea2513189caa55fcb2f05a4c5ab2
SHA512e53ba22e714aab8afaf07d4bc6ed73fec9370de3386d33810a2166dafa38dff6bb9f78ff041b07ce0aef9202f0a5899279acace12f20d42a9c4f5cf1d88931a5
-
Filesize
41B
MD54a70d325c46cdf4dd383545895bdc129
SHA16f4d670f68aaf438c2643a188504b4cc40acc275
SHA25684d28d4ed7f549533f97a71259398b507a0f4ea580564907cd5ef8ec38169fb8
SHA512cd06e6e8a1bca0db70d8a29af4093d28c9331349c49efec2d90d666303badbf9c66f3bbe2e5c21e9f06fe7cd720bbb958619b26ce4c0ab03eae9467b82c299c7