Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 23:27
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe
Resource
win7-20241010-en
General
-
Target
2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe
-
Size
3.0MB
-
MD5
c961250ad9853c3ee1228b3c6629160e
-
SHA1
1f6203b26a4a577ad274c8ca2d70877927d044df
-
SHA256
8cdc181cec0f3eaf421c7c801859c8bb629510c56ce643c7c35071c33541b1ee
-
SHA512
404da73d5d997ac0fdcd332b8ea19be661226d11244d1c801810939b1b8487487dc2bb507899dfe95126355bb5dedac21ff9c7ff8439f5ac852cb25c15e3481c
-
SSDEEP
98304:FqshbRl6+qOyVq9dPZp72LZcLigmlcHLR6:0sh+POyVq91KZNlgLR6
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe -
Executes dropped EXE 1 IoCs
pid Process 2076 Easy-Lock.exe -
Loads dropped DLL 2 IoCs
pid Process 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe 2076 Easy-Lock.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: Easy-Lock.exe File opened (read-only) \??\F: Easy-Lock.exe -
resource yara_rule behavioral1/memory/1832-1-0x0000000002060000-0x000000000311A000-memory.dmp upx behavioral1/memory/1832-4-0x0000000002060000-0x000000000311A000-memory.dmp upx behavioral1/memory/1832-20-0x0000000002060000-0x000000000311A000-memory.dmp upx behavioral1/memory/1832-9-0x0000000002060000-0x000000000311A000-memory.dmp upx behavioral1/memory/1832-21-0x0000000002060000-0x000000000311A000-memory.dmp upx behavioral1/memory/1832-10-0x0000000002060000-0x000000000311A000-memory.dmp upx behavioral1/memory/1832-8-0x0000000002060000-0x000000000311A000-memory.dmp upx behavioral1/memory/1832-5-0x0000000002060000-0x000000000311A000-memory.dmp upx behavioral1/memory/1832-68-0x0000000002060000-0x000000000311A000-memory.dmp upx behavioral1/memory/1832-3-0x0000000002060000-0x000000000311A000-memory.dmp upx behavioral1/memory/1832-6-0x0000000002060000-0x000000000311A000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\f76c13d 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe File opened for modification C:\Windows\SYSTEM.INI 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe -
HTTP links in PDF interactive object 4 IoCs
Detects HTTP links in interactive objects within PDF files.
resource yara_rule behavioral1/files/0x000500000001950f-94.dat pdf_with_link_action behavioral1/files/0x00050000000194ef-93.dat pdf_with_link_action behavioral1/files/0x00050000000194eb-92.dat pdf_with_link_action behavioral1/files/0x000a000000016ce0-91.dat pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Easy-Lock.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Token: SeDebugPrivilege 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Token: SeDebugPrivilege 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Token: SeDebugPrivilege 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Token: SeDebugPrivilege 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Token: SeDebugPrivilege 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Token: SeDebugPrivilege 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Token: SeDebugPrivilege 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Token: SeDebugPrivilege 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Token: SeDebugPrivilege 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Token: SeDebugPrivilege 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Token: SeDebugPrivilege 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Token: SeDebugPrivilege 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Token: SeDebugPrivilege 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Token: SeDebugPrivilege 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Token: SeDebugPrivilege 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Token: SeDebugPrivilege 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Token: SeDebugPrivilege 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Token: SeDebugPrivilege 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Token: SeDebugPrivilege 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Token: SeDebugPrivilege 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe Token: SeDebugPrivilege 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe 2076 Easy-Lock.exe 2076 Easy-Lock.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1832 wrote to memory of 1088 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe 19 PID 1832 wrote to memory of 1172 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe 20 PID 1832 wrote to memory of 1200 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe 21 PID 1832 wrote to memory of 1416 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe 23 PID 1832 wrote to memory of 2076 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe 30 PID 1832 wrote to memory of 2076 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe 30 PID 1832 wrote to memory of 2076 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe 30 PID 1832 wrote to memory of 2076 1832 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe 30 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1088
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-17_c961250ad9853c3ee1228b3c6629160e_icedid.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\EasyLock\Easy-Lock.exe-l="C:\Users\Admin\AppData\Local\Temp"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2076
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1416
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD5f7fd4cbb2618587b85f902fbdddfea30
SHA139f5e4097d9d6d91a31180b417a46f71ea6f8b74
SHA256ee329c9537d91498cac60a4d8d5e93fabe76130ff80b80a33aef3c3d47607f90
SHA512d206a22cdf9fd6cbf2452c802f1a580e2669864b6226a13dc77465b8ba16a59e583cfe4c8cf21e48cf9431bc999609e4e2c7bceceac63396206132656369f9aa
-
Filesize
321KB
MD5fecc2304159e711cfbe4e282b88fa78d
SHA1acd7cd34b127d1d0915f7862fd217dc140f4f3df
SHA256daa812fd3daf9afca323333f15a5dd38de0e50ecce196563e10f1013016ca39a
SHA5126bfeda9bf7c9951d412a9a62164cb2c9f5547ffa5b6c03f09c5f90ce2cb745c12a44c430f87f7ad71ea8c2f917ed61a95f3561a0a535eebeaa7f6b8dde568a06
-
Filesize
349KB
MD5814048fb825e018a43f60bddbadb608f
SHA1b77d94986cd66d5dc49d0195db6f3c96ebed2e2a
SHA256088c7140a62ffc9ac2337d4ad0e3b4d3faf0b6a0c56edc319120e3bb497c8562
SHA512fc45898d286c3c1584de4f4b176a8a6434bb464eb8868dee8574913cc2bcc9b3b949b7f46a9f56edc6bf2fc229f16fbd8693271f1a7553b6b830b464b4d52cf8
-
Filesize
373KB
MD5eb5b87342c7dbe57b4b338260454d590
SHA1f03591ef5da74a4a4c1df9476a503936b4a9d790
SHA25611599c724881bf14e6d69e0243fb3f09ec44e944c64b1cd74038cf469498c11b
SHA5127820fcef7b97cd50754beddb8917bfeaa34e828eb86c06d084f15f039cc1fb0839fb72768aa9c98f7acfe1fb7e51b16c1e2c767a282f2128bbbd35e9d3e67b15
-
Filesize
387KB
MD5b1eb678d8188fe4e6da9129b7fd0510c
SHA1dddcf0167d13e2387f3fd0b8fde9cf389745c39c
SHA2568381356d3033e081a70031d8e7624d84966742ac9ab57b2e4630d5135302475b
SHA5129ba7d21c19c04f8122cc9e35e0b62c7925fd62e10c96bf26d99840b79e9a4834b8250efd44307e2069608c718bfb8a1660aff588dfef5cc638fe60a34da60c20
-
Filesize
22KB
MD5a1d39e97dc3dfddcea6e1373d669dea0
SHA109c0361e66f6dca5d1a62284e03f3970114b068f
SHA256017b195d0a660cdd5ba6cc3b40ee5a4274e0e2d75804b266c87a096997c18661
SHA5121fd71dfdb3398392c6daa6688f2b4902f71907dab834968fa6a305af50ad89877c2d6678907a2d7e31366074f03d610e5601cff05de6d19abe53dc8b1dae4667
-
Filesize
32KB
MD54b575251ac253c4c36a3b35589ea2758
SHA11c4240c4d4ce22cf79473c8e3600894235803be6
SHA2563b4331a8a9662258798010895a4db64860a8465095d465e0343cc16945b2b73a
SHA512560ca2e7bb15406418058ffaeccbac619d6a146d7fc6947b191009dd1ed955a177c4541ad4819e2cb545a0b17fdb2ab89ce66be633e475acee80af8a579ba894
-
Filesize
23KB
MD50ac1c4a59687ff0d04c444bb08544071
SHA1571e3442c70b7ed2dc99d34a8a36f68ec2a9b911
SHA2569d92dd908aa6d02fdffeced20ce0d2606adbc68944bc0b76e2414b6fabfd6111
SHA5120e701b2943cdd5e3d2a963c4bead2f04ed2e5bfab1a149910c9face8af945b145e60888d482fd6a1a1d66a9ab08bc7a407e57df8ad311cf3e09b7deeb73bcca4
-
Filesize
23KB
MD58fb08f6d1fb732f525ad30ec33216242
SHA1f58dadf7399ab6d0602c0d6c90f2e3be94f9f68a
SHA256866cdcaaec7b94bf6dda5059cfb93b8503e4de8554578cf0534babe676516ef4
SHA512b4066a92632d49d20912c464ca9cf6826350ff2f8810cb50b60750b6bd3fc41b07d6f4c419d4d67d4cf1f26cffb07e7c64db8ef2c9b94f7bb9fcd33c63b0d7aa
-
Filesize
1.2MB
MD59a7234078559093e06c9d32148ed95a3
SHA140361dad15b9b5ae2757a21d1ce6a61c3c37e891
SHA25632f5d0a454c26e8aa6f4cad58f3782337cc97cfe2305bbfe564437e5f0d51bbc
SHA5129a2c3761d799999a691cd605f11c4014f604afa9a46b3b4c9999eef177f0e703ca2ed52c22824cba613559ce37bd134c566d54a4e51141828816b02a4f3da05b
-
Filesize
2.5MB
MD5d7f2330216e740dabd447e350eed7152
SHA10ab3ff852c903f3124ca658bc59449007d7b161d
SHA256f698e40aff3bddfabfe5bf117eac8f8aed6a6a7d8eb435d5d7c49d224ae13a0e
SHA51202745efdf5a3ca4aa0b0eab7687cabe11c325c5394d0e6da2bf99ac67c84851ad378f2f4ec5ddca2ea878c0fee663298b1ad1271fac9755c1ce91ba50d004d6e
-
Filesize
884B
MD5b34301144da892bb84cc83cb2b373e2a
SHA1234be53b8e4fdd7fb5e3946c0394d24698739754
SHA256db7249538ef5a7d05f6746b9cb404a1d432f130a9447bbf3135385622979c0e6
SHA5126a789a1b03ce3ca88b51f93d2bb5679f6450261ffb5d7db2908af6a0974f69459ccffe2aa2ee2f5c5399865974196eda2bd0de68e1bda710ef8b962a8b066fab