IcedID
Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.
16 syscalls cited
- NtAllocateVirtualMemory
Reserves, commits or both a region of virtual memory in a target process.
- NtAllocateVirtualMemoryEx
Reserves or commits virtual memory with extended parameters (preferred NUMA node, CFG, address requirements).
- NtProtectVirtualMemory
Changes the protection on a region of committed virtual memory in a target process.
- NtWriteVirtualMemory
Writes a buffer from the caller into the virtual address space of a target process.
- NtFreeVirtualMemory
Decommits or releases a region of virtual memory in a target process.
- NtCreateSection
Creates a section object backed by a file or the system pagefile for shared memory mapping.
- NtMapViewOfSection
Maps a view of a section object into the virtual address space of a target process.
- NtQueueApcThread
Queues a user-mode asynchronous procedure call (APC) to a target thread.
- NtCreateUserProcess
Creates a new user-mode process and its initial thread from an executable image.
- NtQueryInformationProcess
Retrieves a class of information about a process — the universal back-end of GetProcessInformation and the workhorse of anti-debug checks.
- NtGetCurrentProcessorNumber
Returns the zero-based logical-processor index the calling thread is currently executing on.
- NtWaitForMultipleObjects
Waits on up to MAXIMUM_WAIT_OBJECTS dispatcher objects with either WaitAny or WaitAll semantics.
- NtCreateMutant
Creates or opens a named or unnamed mutant (mutex) object and optionally takes initial ownership.
- NtQuerySystemTime
Returns the current system time as a 64-bit count of 100-ns intervals since 1601-01-01 UTC.
- NtClose
Closes a kernel object handle (file, key, event, process, thread, section, etc.).
- NtCreateFile
Creates or opens a file, directory, device, or named pipe — every dropper's first call to disk.