Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 22:44
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-28_89de3a110c0bffb2bc3e073089135f2c_icedid.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2024-06-28_89de3a110c0bffb2bc3e073089135f2c_icedid.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-28_89de3a110c0bffb2bc3e073089135f2c_icedid.exe
-
Size
10.8MB
-
MD5
89de3a110c0bffb2bc3e073089135f2c
-
SHA1
474df726bd9cc40699dad025c43f753e77eff1c1
-
SHA256
27b3660ab08b007bb1a32d76a50de3c4ddb39d6427acbfff31a4ba4352aebfcd
-
SHA512
6863522c6f03cf08847736e2d72ec8b74e0e7445ae4f221860ee74254977f4bb56b02ca51122b9ac16aa81eac72e7f2ed62c8df73c2f38c59adf6b0eaa878476
-
SSDEEP
196608:4vA5UWb5RyputVARx2E9ONxxm2oadqvolbm/TBw00WxDtJ/YRZ8ZS4R0:/nRXtVw2E9cxzxViGWxDr/IGSB
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
Processes:
setup.tmpdescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{60C8A655-0CA6-42EB-B076-2D7978E29113} = "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\\Windows\\system32\\winclass.exe|Name=Ô¶³ÌϵͳÍøÂç·þÎñ|Desc=Ô¶³ÌϵͳÍøÂç·þÎñ|" setup.tmp Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{11B39639-DA79-4C85-9244-317F5073252E} = "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\\Windows\\system32\\sdcn.exe|Name=ϵͳÍøÂçÈÕÖ¾·þÎñ|Desc=ϵͳÍøÂçÈÕÖ¾·þÎñ|" setup.tmp Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{11B39639-DA79-4C85-9244-317F5073253E} = "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\\Windows\\system32\\winclass.exe|Name=Ô¶³ÌϵͳÍøÂç·þÎñ|Desc=Ô¶³ÌϵͳÍøÂç·þÎñ|" setup.tmp Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{60C8A655-0CA6-42EB-B076-2D7978E29133} = "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\\Windows\\system32\\winclass.exe|Name=Ô¶³ÌϵͳÍøÂç·þÎñ|Desc=Ô¶³ÌϵͳÍøÂç·þÎñ|" setup.tmp Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules setup.tmp Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{11B39639-DA79-4C85-9244-317F5073250E} = "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\\Windows\\system32\\sdcn.exe|Name=ϵͳÍøÂçÈÕÖ¾·þÎñ|Desc=ϵͳÍøÂçÈÕÖ¾·þÎñ|" setup.tmp Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{11B39639-DA79-4C85-9244-317F5073251E} = "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\\Windows\\system32\\winclass.exe|Name=Ô¶³ÌϵͳÍøÂç·þÎñ|Desc=Ô¶³ÌϵͳÍøÂç·þÎñ|" setup.tmp Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{60C8A655-0CA6-42EB-B076-2D7978E29103} = "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\\Windows\\system32\\sdcn.exe|Name=ϵͳÍøÂçÈÕÖ¾·þÎñ|Desc=ϵͳÍøÂçÈÕÖ¾·þÎñ|" setup.tmp Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{60C8A655-0CA6-42EB-B076-2D7978E29123} = "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\\Windows\\system32\\sdcn.exe|Name=ϵͳÍøÂçÈÕÖ¾·þÎñ|Desc=ϵͳÍøÂçÈÕÖ¾·þÎñ|" setup.tmp -
Drops file in Drivers directory 6 IoCs
Processes:
setup.tmpPassthruInstall.exedescription ioc process File created C:\Windows\SysWOW64\drivers\is-K5EP6.tmp setup.tmp File created C:\Windows\SysWOW64\drivers\is-GNF37.tmp setup.tmp File created C:\Windows\SysWOW64\drivers\is-TROFV.tmp setup.tmp File created C:\Windows\SysWOW64\drivers\is-92S2P.tmp setup.tmp File created C:\Windows\system32\drivers\Passthru.sys PassthruInstall.exe File opened for modification C:\Windows\system32\drivers\Passthru.sys PassthruInstall.exe -
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
setup.tmpdescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\YszHwFt\ImagePath = "SysWow64\\drivers\\YszHwFt.sys" setup.tmp Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Sdfssyy\ImagePath = "SysWow64\\drivers\\Sdfssyy.sys" setup.tmp -
Executes dropped EXE 7 IoCs
Processes:
WinManagerAgent.exesetup.exesetup.tmpinstait.exeWinClass.exemfboot.exePassthruInstall.exepid process 2944 WinManagerAgent.exe 4880 setup.exe 5072 setup.tmp 3952 instait.exe 4092 WinClass.exe 5076 mfboot.exe 1560 PassthruInstall.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 10 IoCs
Processes:
setup.tmpdescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Sdfssyy setup.tmp Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\yszfilter setup.tmp Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\YszHwft setup.tmp Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\YszHwft\ = "Service" setup.tmp Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Sdfssyy\ = "Service" setup.tmp Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\yszfilter\ = "Service" setup.tmp Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\System Help Service setup.tmp Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\System Help Service\ = "Service" setup.tmp Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Network Log Service setup.tmp Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Network Log Service\ = "Service" setup.tmp -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
WinClass.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tvncontrol = "\"C:\\Windows\\SysWOW64\\WinClass.exe\" -controlservice -slave" WinClass.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
setup.tmpdescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DC4C0E84-84B5-4C93-BBAB-88688D0D64E2} setup.tmp -
Drops file in System32 directory 55 IoCs
Processes:
setup.tmpDrvInst.exeWinManagerAgent.exedescription ioc process File created C:\Windows\SysWOW64\is-6GB0A.tmp setup.tmp File created C:\Windows\SysWOW64\is-RMD40.tmp setup.tmp File created C:\Windows\SysWOW64\is-94TV1.tmp setup.tmp File created C:\Windows\SysWOW64\is-LPOL5.tmp setup.tmp File created C:\Windows\SysWOW64\is-U1T1K.tmp setup.tmp File created C:\Windows\SysWOW64\is-OAGOJ.tmp setup.tmp File created C:\Windows\SysWOW64\is-MG1QV.tmp setup.tmp File created C:\Windows\SysWOW64\is-CVA49.tmp setup.tmp File created C:\Windows\SysWOW64\is-K8OCT.tmp setup.tmp File created C:\Windows\SysWOW64\is-KVCPJ.tmp setup.tmp File created C:\Windows\SysWOW64\is-SS94H.tmp setup.tmp File opened for modification C:\Windows\System32\DriverStore\Temp\{ede37f39-81a6-3348-bd5a-8279daab409f}\netsf_m.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{ede37f39-81a6-3348-bd5a-8279daab409f}\SET612C.tmp DrvInst.exe File created C:\Windows\SysWOW64\is-D5D8C.tmp setup.tmp File created C:\Windows\SysWOW64\is-BD70K.tmp setup.tmp File opened for modification C:\Windows\System32\DriverStore\Temp\{ede37f39-81a6-3348-bd5a-8279daab409f}\netsf.cat DrvInst.exe File created C:\Windows\SysWOW64\is-9SLKE.tmp setup.tmp File created C:\Windows\SysWOW64\is-H5VU1.tmp setup.tmp File created C:\Windows\SysWOW64\is-HPJ4T.tmp setup.tmp File created C:\Windows\SysWOW64\is-FUGNJ.tmp setup.tmp File created C:\Windows\SysWOW64\is-6JTGV.tmp setup.tmp File created C:\Windows\SysWOW64\is-U8594.tmp setup.tmp File created C:\Windows\SysWOW64\is-0SCR8.tmp setup.tmp File created C:\Windows\SysWOW64\is-L3LFA.tmp setup.tmp File created C:\Windows\SysWOW64\is-R6LAF.tmp setup.tmp File created C:\Windows\SysWOW64\is-IICNJ.tmp setup.tmp File created C:\Windows\SysWOW64\is-QC2F1.tmp setup.tmp File created C:\Windows\SysWOW64\is-V94M9.tmp setup.tmp File created C:\Windows\SysWOW64\is-EICG1.tmp setup.tmp File created C:\Windows\SysWOW64\is-MGME9.tmp setup.tmp File created C:\Windows\SysWOW64\is-0KH9E.tmp setup.tmp File created C:\Windows\SysWOW64\is-DAF3F.tmp setup.tmp File created C:\Windows\SysWOW64\is-HS3GN.tmp setup.tmp File created C:\Windows\SysWOW64\is-RHJEH.tmp setup.tmp File opened for modification C:\Windows\System32\DriverStore\Temp\{ede37f39-81a6-3348-bd5a-8279daab409f}\SET611B.tmp DrvInst.exe File created C:\Windows\SysWOW64\is-6H80R.tmp setup.tmp File created C:\Windows\SysWOW64\is-CAK8K.tmp setup.tmp File opened for modification C:\Windows\SysWOW64\msvcr100.dll WinManagerAgent.exe File created C:\Windows\SysWOW64\is-NG1VS.tmp setup.tmp File created C:\Windows\SysWOW64\is-RD7JS.tmp setup.tmp File created C:\Windows\SysWOW64\is-C6JTP.tmp setup.tmp File created C:\Windows\System32\DriverStore\Temp\{ede37f39-81a6-3348-bd5a-8279daab409f}\SET611B.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ede37f39-81a6-3348-bd5a-8279daab409f}\SET612C.tmp DrvInst.exe File created C:\Windows\SysWOW64\is-E621N.tmp setup.tmp File created C:\Windows\SysWOW64\is-4394O.tmp setup.tmp File created C:\Windows\SysWOW64\is-FVQK2.tmp setup.tmp File created C:\Windows\SysWOW64\is-DIQFQ.tmp setup.tmp File created C:\Windows\SysWOW64\is-22L2P.tmp setup.tmp File created C:\Windows\SysWOW64\is-UM3DL.tmp setup.tmp File created C:\Windows\SysWOW64\is-DKTSC.tmp setup.tmp File created C:\Windows\SysWOW64\is-747G3.tmp setup.tmp File created C:\Windows\SysWOW64\is-S6CN6.tmp setup.tmp File created C:\Windows\SysWOW64\is-S9T19.tmp setup.tmp File created C:\Windows\SysWOW64\is-MQDFD.tmp setup.tmp File created C:\Windows\SysWOW64\is-7JAGB.tmp setup.tmp -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeDrvInst.exePassthruInstall.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log PassthruInstall.exe -
Checks SCSI registry key(s) 3 TTPs 10 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe -
Modifies data under HKEY_USERS 42 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exedescription pid process Token: SeAuditPrivilege 664 svchost.exe Token: SeSecurityPrivilege 664 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
2024-06-28_89de3a110c0bffb2bc3e073089135f2c_icedid.exemfboot.exepid process 5108 2024-06-28_89de3a110c0bffb2bc3e073089135f2c_icedid.exe 5076 mfboot.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
2024-06-28_89de3a110c0bffb2bc3e073089135f2c_icedid.exeWinManagerAgent.exesetup.exesetup.tmpsvchost.exeDrvInst.exedescription pid process target process PID 5108 wrote to memory of 2944 5108 2024-06-28_89de3a110c0bffb2bc3e073089135f2c_icedid.exe WinManagerAgent.exe PID 5108 wrote to memory of 2944 5108 2024-06-28_89de3a110c0bffb2bc3e073089135f2c_icedid.exe WinManagerAgent.exe PID 5108 wrote to memory of 2944 5108 2024-06-28_89de3a110c0bffb2bc3e073089135f2c_icedid.exe WinManagerAgent.exe PID 2944 wrote to memory of 4880 2944 WinManagerAgent.exe setup.exe PID 2944 wrote to memory of 4880 2944 WinManagerAgent.exe setup.exe PID 2944 wrote to memory of 4880 2944 WinManagerAgent.exe setup.exe PID 4880 wrote to memory of 5072 4880 setup.exe setup.tmp PID 4880 wrote to memory of 5072 4880 setup.exe setup.tmp PID 4880 wrote to memory of 5072 4880 setup.exe setup.tmp PID 5072 wrote to memory of 3952 5072 setup.tmp instait.exe PID 5072 wrote to memory of 3952 5072 setup.tmp instait.exe PID 5072 wrote to memory of 3952 5072 setup.tmp instait.exe PID 5072 wrote to memory of 4092 5072 setup.tmp WinClass.exe PID 5072 wrote to memory of 4092 5072 setup.tmp WinClass.exe PID 5072 wrote to memory of 4092 5072 setup.tmp WinClass.exe PID 5072 wrote to memory of 5076 5072 setup.tmp mfboot.exe PID 5072 wrote to memory of 5076 5072 setup.tmp mfboot.exe PID 5072 wrote to memory of 5076 5072 setup.tmp mfboot.exe PID 5072 wrote to memory of 1560 5072 setup.tmp PassthruInstall.exe PID 5072 wrote to memory of 1560 5072 setup.tmp PassthruInstall.exe PID 664 wrote to memory of 3104 664 svchost.exe DrvInst.exe PID 664 wrote to memory of 3104 664 svchost.exe DrvInst.exe PID 3104 wrote to memory of 3116 3104 DrvInst.exe rundll32.exe PID 3104 wrote to memory of 3116 3104 DrvInst.exe rundll32.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
setup.tmpdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System setup.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "1" setup.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-28_89de3a110c0bffb2bc3e073089135f2c_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-28_89de3a110c0bffb2bc3e073089135f2c_icedid.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WinManagerAgent.exeC:\Users\Admin\AppData\Local\Temp\WinManagerAgent.exe /VERYSILENT /ServerIP=172.16.0.222⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup.exeC:\Users\Admin\AppData\Local\Temp\setup.exe /VERYSILENT /ServerIP=172.16.0.223⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-4LA0C.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-4LA0C.tmp\setup.tmp" /SL5="$F00EC,4922870,54272,C:\Users\Admin\AppData\Local\Temp\setup.exe" /VERYSILENT /ServerIP=172.16.0.224⤵
- Modifies firewall policy service
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\is-0IEFC.tmp\instait.exe"C:\Users\Admin\AppData\Local\Temp\is-0IEFC.tmp\instait.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WinClass.exe"C:\Windows\system32\WinClass.exe" -install -silent5⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\is-0IEFC.tmp\mfboot.exe"C:\Users\Admin\AppData\Local\Temp\is-0IEFC.tmp\mfboot.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\PassthruInstall.exe"C:\Windows\system32\PassthruInstall.exe"5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{810475f1-7e63-9a45-a9a0-6435c6955fa4}\netsf_m.inf" "9" "47d0901a3" "000000000000014C" "WinSta0\Default" "0000000000000164" "208" "C:\Windows\SysWOW64"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{625574ad-947b-8941-b75c-23a190c07cf6} Global\{ad03abaf-be36-7c4c-a781-1802bbaa7456} C:\Windows\System32\DriverStore\Temp\{ede37f39-81a6-3348-bd5a-8279daab409f}\netsf_m.inf C:\Windows\System32\DriverStore\Temp\{ede37f39-81a6-3348-bd5a-8279daab409f}\netsf.cat3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Browser Extensions
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
5Impair Defenses
2Disable or Modify System Firewall
1Safe Mode Boot
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WinManagerAgent.exeFilesize
10.6MB
MD59c43ec0fc8d71894e3cc6bb52ecc1f1c
SHA169e0916999fd2e031809ca523a895759f40fb85f
SHA25682ba971fc7d511d8dfef0d1ee8da9648f2f72e7f43ddbbb1be1e79d63fcecf25
SHA512aaef11301bd5ee123fec596c3b7933c91acecbb138bb7c7d0a82ef7c42bcd105d8b3312fa936360d57a03e88abca4a56732f19812bd80b95c7c229bd49de286c
-
C:\Users\Admin\AppData\Local\Temp\is-0IEFC.tmp\instait.exeFilesize
88KB
MD58a66f11d2ce906e558d4bea65504447a
SHA104d374d1522dd1c0476c8d29e1a1c9cf110c7d29
SHA256d85be407d6aa86ad6e741c454b52302d165894cfe5930be7336934a67298cc14
SHA512e667827af62445a7d2f500dcb29f8db12885a2d72dd965646ccfac6c777884cccda4c280015035100c9aa2e363027c3c7208d2516258baf6b3df37bd8e68a2ab
-
C:\Users\Admin\AppData\Local\Temp\is-0IEFC.tmp\mfboot.exeFilesize
250KB
MD590c6119e37d941fd1fb6f55ad4e71c77
SHA15e77fa4dd77e3854eec45c9ac5fd6f44c8b349cb
SHA2569ec20728f06a947f8f79eee89082d33f8fb223b149c2a3c204906c383f63fde3
SHA51266bc3aef3d01a594159c2625fc6c5ac1d7bb9c52a59084b54e0eb9cfc6f480c9120a90aadb1ac05ff9d42bfd7c9ebd1b09c143bfb58f3578e9e2c3be194c3cc9
-
C:\Users\Admin\AppData\Local\Temp\is-4LA0C.tmp\setup.tmpFilesize
741KB
MD5ce37333b56a8b916e5f7b88b080109a3
SHA1b608369e2875bb4a78b8e4cf5a9973ad38b7ba81
SHA25677e7911c367e909718be547301070a8bc51ed5d7e51420ed620ca3ade74a1488
SHA5129ac6e8ac2bce11a51c4115f091bac1ff98fb6ced3303d5509dde34c7d6e9fa0bf3275a0f4b78b644f2bf55f20f6a4ed5067b4d3135e91c4bb494ab61adc5f729
-
C:\Users\Admin\AppData\Local\Temp\setup.exeFilesize
4.9MB
MD5f21ec81e9739fc22c2b11835250df8ed
SHA16bc423c58a3d4ef7634c8b9be58037c35cb2008a
SHA2565eef17155cf3c3f4041925eee2e6e0d7a9c38e4466569b7d594eff6aa6742953
SHA51226659eceecf652284697f2d69e01b94dbcfd0636c74037a2398bdfa199c51f745fa2f5905cad9f4b3af370d01c2340b99c6df14a4a8c09e4ca608195178c4314
-
C:\Users\Admin\AppData\Local\Temp\{810475f1-7e63-9a45-a9a0-6435c6955fa4}\netsf.catFilesize
9KB
MD566ce55fa9a430bcf8025e38775fbe89b
SHA1d43bd010131d57959bd3398992417cf940050bc4
SHA2561122404db216c0a8e5fe16d9ba3487358a5b59857fb84da8da9c4ca109d22fd5
SHA512fdf8754d4c22e7df140a9e97e1ce381bbe175aa1e57a7653e7a25cc76b88f7ccff4fc5c3c0b2376a84f2eb51fa9eec5638cd374c779b053019ed07e188a77563
-
C:\Windows\SysWOW64\PassthruInstall.exeFilesize
12KB
MD52d8b7a945d3868669ba04ba3ddc13cb6
SHA188855ba82df56ac5e46f00711f2807b1164d91a2
SHA256c473fcedcfa7cfa058374b2c5dd08b61ec0c3fdd9276bd7779465ad354c6b427
SHA512039196724ae90b7ad4dc2f2bd67ad4c0a080020c15c921b1f69cc45f722ab93ade52b6dc16f736ff9f8112e06c8bd647e6edd845ff484168821106bcd104b184
-
C:\Windows\SysWOW64\drivers\passthru.sysFilesize
31KB
MD5d32d4e1d3a8d3e7cf7d2aeca51a3d143
SHA1b700e34e425c60f0b5b8f8a309b655874909cf7d
SHA256a8656391606c5ee51f87e05f62bbbc5d51a32b5f5814ff29504da1704d23d36d
SHA512cc5dabfdeee40e731504749908e03f2ff79d77e1a4ecfee8d76dcb402278a8df440c5224bbf52d3cb177f2341fb5bc90a5fc4b9f525cd45147fbeceef37ac545
-
C:\Windows\SysWOW64\netsf_m.infFilesize
2KB
MD5e10e7eb0d7a79d374cc3a5262a79235a
SHA13acfb965d508bf9f63e811f3c3bbed55ddff5dbc
SHA2567e3e13b44fe58c5576f9b807d465eccdf867a698986266949db8e97b76f5dd38
SHA5127ee396b5fe65a29b881e05774d94615560bd7720db3816241fd5910cb5aa4803cce7fa3efe583c895fd0b7f9c232db31a9cea9c6befa29fe52a2e86f5a5c89e2
-
C:\Windows\SysWOW64\ntcaff372.dllFilesize
12KB
MD5d7e67a2f5e3599834413342bd64effbf
SHA19264f61591b3e97f3efe1a318cd8b625a9e22ac4
SHA25695c806cbdba0a74ad451cda7bc010b71baa2c8cd8fbddaed89813916b706b804
SHA5129f785629c57d9438da3248725af07b3d0227f0b4ed6d2fc5f27b6c4348ef61f5ab098c35cd284d2389a26c865c1538a978a1fce6058d8132da2be3a2d43abb7b
-
C:\Windows\SysWOW64\vccaff32.dllFilesize
20KB
MD57a1c78e0126b7ead742f778218e5d0d5
SHA1f67aa1f9c3cf16b4eb3940dab218ebee596b2584
SHA25637614bfecf8ad64e75887482a98143b9f593fea4c5f05d8b9faaac6e06307b93
SHA51236aa51a4703ccad59a10302f01c9fbc54cb7c976dcc637edf5617e5716e5ad475bfd00d00552364553aeacd144b7228a00cdf3a684a6acdfe2b33cd53de54b38
-
C:\Windows\SysWOW64\wccaff32.dllFilesize
1.6MB
MD50395b4d490a8b6622d3f60364a7b944f
SHA1f8f8f2828a3dd505e43a2a1eb8b31b3f55ff0efb
SHA256968618736c744cfff328bfd30b28d562bade131356be61c8d2a6f2464a046fe7
SHA512f7c4c8a96d42bb57bc825619066f1a4aeb9d4ecec34a978a2ecf8df57bc96df79686d86830f1c9af2b3db593f88adda3cd0d5a1ecbb7c99cc12074e944484085
-
memory/4880-11-0x0000000000401000-0x000000000040B000-memory.dmpFilesize
40KB
-
memory/4880-9-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4880-177-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5072-16-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/5072-178-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB