File name:

2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid

Full analysis: https://app.any.run/tasks/cf6da193-cb8f-4fe8-97d6-c222f6cbacf0
Verdict: Malicious activity
Analysis date: December 30, 2024, 12:45:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

26D0B51D199C4FA8FE11A3DF6070A513

SHA1:

6A675C9A102B478CCE0ACD17AF1744C4B31E1D50

SHA256:

8B39F3DF619FA11EEFFC6E19C7B73F5057E42827C307050743BF33FD2FC5C651

SSDEEP:

98304:qj9IlNv8wHzfiB3SVSs5eqzD8J5LoyzImvZh9yuWf0rlhfZddk3GSVSg5/xbptuB:upQc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • serevc.exe (PID: 68)

    • Connects to the CnC server

      • serevc.exe (PID: 68)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ser.exe (PID: 5920)
      • 2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe (PID: 5536)

    • Contacting a server suspected of hosting an CnC

      • serevc.exe (PID: 68)

    • There is functionality for taking screenshot (YARA)

      • serevc.exe (PID: 68)
      • 2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe (PID: 5536)

    • Connects to unusual port

      • serevc.exe (PID: 68)

  • INFO

    • The sample compiled with chinese language support

      • 2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe (PID: 5536)
      • ser.exe (PID: 5920)

    • Checks supported languages

      • ser.exe (PID: 5920)
      • 2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe (PID: 5536)
      • serevc.exe (PID: 68)

    • Reads the computer name

      • serevc.exe (PID: 68)

    • Create files in a temporary directory

      • 2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe (PID: 5536)

    • UPX packer has been detected

      • 2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe (PID: 5536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (22.1)
.exe | Win64 Executable (generic) (19.6)
.exe | UPX compressed Win32 Executable (19.2)
.exe | Win32 EXE Yoda's Crypter (18.8)
.scr | Windows screen saver (9.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:05:04 04:35:02+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 618496
InitializedDataSize: 626688
UninitializedDataSize: -
EntryPoint: 0x7834f
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 1.0.0.0
FileDescription: _cacheaw
ProductName: 易语言程序
ProductVersion: 1.0.0.0
LegalCopyright: 作者版权所有 请尊重并使用正版
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe ser.exe serevc.exe _cacheaw2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
68C:\Users\admin\Documents\\kjtkxhee\serevc.exeC:\Users\admin\Documents\kjtkxhee\serevc.exe
ser.exe
User:
admin
Company:
Windows
Integrity Level:
MEDIUM
Description:
Windows
Version:
1.0.0.0
Modules
Images
c:\users\admin\documents\kjtkxhee\serevc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
1668C:\Users\admin\Desktop\_cacheaw2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exeC:\Users\admin\Desktop\_cacheaw2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe
User:
admin
Company:
RuntimeBroker
Integrity Level:
MEDIUM
Description:
应用程序
Exit code:
3221226540
Version:
8.9.8.9
Modules
Images
c:\users\admin\desktop\_cacheaw2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5536"C:\Users\admin\Desktop\2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe" C:\Users\admin\Desktop\2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
_cacheaw
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
5920C:\Users\admin\AppData\Local\Temp\\ser.exeC:\Users\admin\AppData\Local\Temp\ser.exe
2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe
User:
admin
Integrity Level:
MEDIUM
Description:
易语言程序
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\ser.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
316
Read events
315
Write events
1
Delete events
0

Modification events

(PID) Process:(68) serevc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:serevc
Value:
C:\Users\admin\Documents\kjtkxhee\serevc.exe
Executable files
3
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5920ser.exeC:\Users\admin\Documents\kjtkxhee\serevc.exeexecutable
MD5:306C2108078B5250A1B8F3F86B820C81
SHA256:70D5B90CDD1686C42CD57BF514374628B1FE3803AA79B2033A4B9A73736027AA
55362024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exeC:\Users\admin\Desktop\_cacheaw2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exeexecutable
MD5:273744044BBC6E49BAFFDA91A9DD6B38
SHA256:8BCE0ECD1F7422FFAC9920986B14355EDDA1822C4CB8E7141E5681FAF6E2EE50
55362024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exeC:\Users\admin\AppData\Local\Temp\ser.exeexecutable
MD5:CF686DA098FEA0536081545BC9276C35
SHA256:73C9A3AC159D8B5C797961D5502E2595C67D38D401957F749D811F0657777051
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
20
DNS requests
8
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1540
RUXIMICS.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
svchost.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1540
RUXIMICS.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
svchost.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
5496
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
unknown
1540
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
68
serevc.exe
154.193.118.153:1777
www.83faka.com
MULTA-ASN1
ZA
malicious
1540
RUXIMICS.exe
23.48.23.164:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.164:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
svchost.exe
23.48.23.164:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.19.217.218:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
www.83faka.com
  • 154.193.118.153
unknown
crl.microsoft.com
  • 23.48.23.164
  • 23.48.23.145
  • 23.48.23.173
  • 23.48.23.194
  • 23.48.23.180
  • 23.48.23.167
  • 23.48.23.166
  • 23.48.23.176
  • 23.48.23.177
whitelisted
www.microsoft.com
  • 2.19.217.218
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
self.events.data.microsoft.com
  • 52.168.112.67
whitelisted

Threats

Found threats are available for the paid subscriptions
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid