Icdv-30077.rar

| Rule | Description | Confidence | |------|-------------|------------| | malware_icdv_dropper | Matches known byte‑patterns of the ICDV dropper family (first 512 bytes of stub). | High | | packer_upx | Detects UPX-packed PE. | High | | suspicious_url_http | Detects hard‑coded HTTP C2 URL. | Medium | | persistence_schtasks | Looks for schtasks command usage. | Medium |

| Property | Observation | |----------|-------------| | File size | 84 KB (RAR) – 132 KB (extracted setup.exe) | | Entropy | RAR archive: 7.2 (high – packed/compressed). setup.exe: 6.9 (indicative of UPX packing). | | PE headers | setup.exe compiled with Microsoft Visual C++ 2015, 64‑bit, subsystem Windows GUI. | | Import table | - kernel32.dll (CreateProcessA, GetModuleFileNameW, VirtualAlloc, WriteProcessMemory, CreateThread)
- advapi32.dll (RegCreateKeyExW, RegSetValueExW, OpenProcessToken)
- user32.dll (MessageBoxA – used only for sandbox detection)
- ws2_32.dll (WSAStartup, socket, connect) | | Export table | None (typical for a dropper). | | Resources | - Icon: “invoice.ico” (decoy).
- Manifest: requests requireAdministrator (elevates automatically via UAC bypass technique – see dynamic analysis). | | String literals (decoded from UPX stub):
- "http://185.72.219.112/payload.bin" (C2 URL)
- "\\Microsoft\\Windows\\CurrentVersion\\Run"
- "ICDVUpdater" (registry value name)
- "taskkill /f /im explorer.exe" (used in persistence routine) | | Digital signature | None – unsigned binary. | | Packers | UPX 3.96 (detected) + custom XOR‑obfuscation for embedded URLs. | ICDV-30077.rar

The ICDV family has evolved from simple information stealers to multi‑stage loaders capable of lateral movement and ransomware deployment. The current sample is a gateway that can fetch additional modules (e.g., a ransomware encryptor) on demand. | Property | Observation | |----------|-------------| | File

All observations were captured in a Cuckoo Sandbox environment (Windows 10 22H2, 64‑bit) with network isolation via a simulated internet gateway. The ICDV family has evolved from simple information

| Observation | Detail | |-------------|--------| | Execution flow | 1. RAR extraction → setup.exe launched (hidden).
2. Stub unpacks embedded payload (AES‑encrypted payload.bin).
3. Decrypted payload is written to %LOCALAPPDATA%\Microsoft\ICDV\icdvsvc.exe.
4. icdvsvc.exe runs with elevated privileges via a UAC bypass that abuses the fodhelper.exe auto‑elevate COM interface. | | Anti‑analysis | - Checks for VMware, VirtualBox, QEMU drivers (DeviceIoControl).
- Queries ProcessId of known sandbox processes (e.g., vboxservice.exe).
- If any indicator found, the binary terminates silently. | | Persistence mechanisms | 1. Registry Run key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ICDVUpdater → path to icdvsvc.exe.
2. Scheduled Task: schtasks /create /sc minute /mo 5 /tn "ICDVUpdate" /tr "%LOCALAPPDATA%\Microsoft\ICDV\icdvsvc.exe". | | Network activity | - Initial HTTP GET to http://185.72.219.112/payload.bin (returns 41 KB encrypted payload).
- Subsequent HTTPS POST to https://185.72.219.112/telemetry with JSON containing system info, user name, and extracted credentials (encrypted with RSA‑2048, server‑side public key). | | Credential theft | - Reads Chrome Login Data SQLite DB, decrypts using DPAPI.
- Extracts Outlook PST passwords via MAPI calls.
- Enumerates saved Windows credentials via CredEnumerateW. | | Lateral movement | No lateral movement observed in the sandbox, but the binary contains code to enumerate network shares (NetShareEnum) and attempt SMB credential reuse – this is a future capability unlocked after additional modules are downloaded. | | File system changes | - Creates C:\ProgramData\ICDV\ directory (hidden).
- Drops icdvsvc.exe and a configuration file config.dat (AES‑256‑CBC). | | Process tree | explorer.exe → setup.exe (hidden) → icdvsvc.exe → powershell.exe (used to download additional modules). | | Detection evasion | - Uses Process Hollowing: spawns a benign svchost.exe, then replaces its memory with the malicious payload.
- Employs Dynamic API Resolution (calls GetProcAddress via hashed strings). |

The sample is a multi‑stage infection vector that is typically distributed via spam e‑mail attachments masquerading as “invoice” or “logistics” documents. Once opened, the RAR archive extracts the malicious setup.exe, which silently executes and begins the infection chain.