icedid | ca93e1c7dc98ca126438c4772f9c3377de5f628b612fe3dc8f72709d5e5bbdb0

General

Target

hostsvc.dll
Size

63KB
MD5

fcb6cf720c45b554c5f689fa914ffd2c
SHA1

4d247be7e4c3ee51c026c49dc4b9f59479e8ca77
SHA256

ca93e1c7dc98ca126438c4772f9c3377de5f628b612fe3dc8f72709d5e5bbdb0
SHA512

a27fb5b32662f0624be8b96aaab8e8b09933dee0c996009970d8f7348d5df2142eb23f9215c35c95640a767399dce4636122dc81e58b5cc15ff3ffa3a6a86514

Score

10^/10

icedid 478101429 2608516171 banker loader spyware stealer trojan

Malware Config

Extracted

Family

icedid

Campaign

2608516171

C2

234willkids.uno

Extracted

Family

icedid

rsa_pubkey.plain

Extracted

Family

icedid

Botnet

478101429

C2

gabry4saver.website

usser234dopper.space

tasyateles.club

jrburnit.website

Attributes

url_path
/news/

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

loader

Processes:

resource	yara_rule
behavioral2/memory/636-2-0x0000000000830000-0x0000000000837000-memory.dmp	IcedidFirstLoader

Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

25 2960 rundll32.exe
27 2960 rundll32.exe
28 2960 rundll32.exe
29 2960 rundll32.exe
31 2960 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

2960 rundll32.exe
2960 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

1580 net.exe
688 net.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

3692 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

512 systeminfo.exe

flow	pid	process
25	2960	rundll32.exe
27	2960	rundll32.exe
28	2960	rundll32.exe
29	2960	rundll32.exe
31	2960	rundll32.exe

pid	process
2960	rundll32.exe
2960	rundll32.exe

pid	process
1580	net.exe
688	net.exe

pid	process
3692	ipconfig.exe

pid	process
512	systeminfo.exe

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\CLSID\{D90526ED-D8D6-91B9-A7EF-C3A85104A663}	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\CLSID\{D90526ED-D8D6-91B9-A7EF-C3A85104A663}\ = 0255c1ede42f3a4217ade67d0be71cf4759098788cef7620a30f18095887ff32d47b4c7358053e33ee05c708b04bd52eeac376e11e1fbfc26e0cbfdbd6f02fc9bc54de5beecf042efa4ef42765e3f5161fbe88f4017f1acd5e0ba716a3e0f59c6fbbcec90db303318e4c32df6a4b3e5af80b53c02dcc58d3651b72f4015f139621cd15455c16854668355e464298d93ad69581a49dec9019ef2ba8823fcb4fb9e4234ed5652c8e4124bd106fa98b79c883832acecc02ea7e21545733908a9338cf4db8e5244e55a50cbea9a86d23cf07c7dd7f8e859abf8ca71719d364bf10ebb4fc7824cdcc7b0534c619fb696b120c2656d77236d09dbe116a2cc946fdf67f735cc81c79763c27c31efd69a2c7ecc98321d7effee0fbfffbe0b07032464c8484ac0e72eaea42d01440de9870160e3f4d46a30dea6f33969711ec683bc9069981a98db2ca7a8a04	rundll32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exerundll32.exe

pid	process
636	regsvr32.exe
636	regsvr32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

WMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3996	WMIC.exe
Token: SeSecurityPrivilege	3996	WMIC.exe
Token: SeTakeOwnershipPrivilege	3996	WMIC.exe
Token: SeLoadDriverPrivilege	3996	WMIC.exe
Token: SeSystemProfilePrivilege	3996	WMIC.exe
Token: SeSystemtimePrivilege	3996	WMIC.exe
Token: SeProfSingleProcessPrivilege	3996	WMIC.exe
Token: SeIncBasePriorityPrivilege	3996	WMIC.exe
Token: SeCreatePagefilePrivilege	3996	WMIC.exe
Token: SeBackupPrivilege	3996	WMIC.exe
Token: SeRestorePrivilege	3996	WMIC.exe
Token: SeShutdownPrivilege	3996	WMIC.exe
Token: SeDebugPrivilege	3996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3996	WMIC.exe
Token: SeRemoteShutdownPrivilege	3996	WMIC.exe
Token: SeUndockPrivilege	3996	WMIC.exe
Token: SeManageVolumePrivilege	3996	WMIC.exe
Token: 33	3996	WMIC.exe
Token: 34	3996	WMIC.exe
Token: 35	3996	WMIC.exe
Token: 36	3996	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3996	WMIC.exe
Token: SeSecurityPrivilege	3996	WMIC.exe
Token: SeTakeOwnershipPrivilege	3996	WMIC.exe
Token: SeLoadDriverPrivilege	3996	WMIC.exe
Token: SeSystemProfilePrivilege	3996	WMIC.exe
Token: SeSystemtimePrivilege	3996	WMIC.exe
Token: SeProfSingleProcessPrivilege	3996	WMIC.exe
Token: SeIncBasePriorityPrivilege	3996	WMIC.exe
Token: SeCreatePagefilePrivilege	3996	WMIC.exe
Token: SeBackupPrivilege	3996	WMIC.exe
Token: SeRestorePrivilege	3996	WMIC.exe
Token: SeShutdownPrivilege	3996	WMIC.exe
Token: SeDebugPrivilege	3996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3996	WMIC.exe
Token: SeRemoteShutdownPrivilege	3996	WMIC.exe
Token: SeUndockPrivilege	3996	WMIC.exe
Token: SeManageVolumePrivilege	3996	WMIC.exe
Token: 33	3996	WMIC.exe
Token: 34	3996	WMIC.exe
Token: 35	3996	WMIC.exe
Token: 36	3996	WMIC.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

regsvr32.exerundll32.execmd.exenet.exenet.exe

description	pid	process	target process
PID 636 wrote to memory of 2960	636	regsvr32.exe	rundll32.exe
PID 636 wrote to memory of 2960	636	regsvr32.exe	rundll32.exe
PID 2960 wrote to memory of 3244	2960	rundll32.exe	cmd.exe
PID 2960 wrote to memory of 3244	2960	rundll32.exe	cmd.exe
PID 3244 wrote to memory of 3868	3244	cmd.exe	chcp.com
PID 3244 wrote to memory of 3868	3244	cmd.exe	chcp.com
PID 2960 wrote to memory of 3996	2960	rundll32.exe	WMIC.exe
PID 2960 wrote to memory of 3996	2960	rundll32.exe	WMIC.exe
PID 2960 wrote to memory of 3692	2960	rundll32.exe	ipconfig.exe
PID 2960 wrote to memory of 3692	2960	rundll32.exe	ipconfig.exe
PID 2960 wrote to memory of 512	2960	rundll32.exe	systeminfo.exe
PID 2960 wrote to memory of 512	2960	rundll32.exe	systeminfo.exe
PID 2960 wrote to memory of 2000	2960	rundll32.exe	net.exe
PID 2960 wrote to memory of 2000	2960	rundll32.exe	net.exe
PID 2000 wrote to memory of 3424	2000	net.exe	net1.exe
PID 2000 wrote to memory of 3424	2000	net.exe	net1.exe
PID 2960 wrote to memory of 3344	2960	rundll32.exe	nltest.exe
PID 2960 wrote to memory of 3344	2960	rundll32.exe	nltest.exe
PID 2960 wrote to memory of 3328	2960	rundll32.exe	nltest.exe
PID 2960 wrote to memory of 3328	2960	rundll32.exe	nltest.exe
PID 2960 wrote to memory of 1580	2960	rundll32.exe	net.exe
PID 2960 wrote to memory of 1580	2960	rundll32.exe	net.exe
PID 2960 wrote to memory of 688	2960	rundll32.exe	net.exe
PID 2960 wrote to memory of 688	2960	rundll32.exe	net.exe
PID 2960 wrote to memory of 2564	2960	rundll32.exe	net.exe
PID 2960 wrote to memory of 2564	2960	rundll32.exe	net.exe
PID 2564 wrote to memory of 3844	2564	net.exe	net1.exe
PID 2564 wrote to memory of 3844	2564	net.exe	net1.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\hostsvc.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\system32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\arrive_x64.tmp",update /i:"SickCash\license.dat"
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\system32\cmd.exe
    cmd.exe /c chcp >&2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3244
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:3868
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3996
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:3692
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:512
- - C:\Windows\system32\net.exe
    net config workstation
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 config workstation
      4⤵
      PID:3424
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts
    3⤵
    PID:3344
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts /all_trusts
    3⤵
    PID:3328
- - C:\Windows\system32\net.exe
    net view /all /domain
    3⤵
    - Discovers systems in the same network
    PID:1580
- - C:\Windows\system32\net.exe
    net view /all
    3⤵
    - Discovers systems in the same network
    PID:688
- - C:\Windows\system32\net.exe
    net group "Domain Admins" /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 group "Domain Admins" /domain
      4⤵
      PID:3844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\arrive_x64.tmp

MD5
0733ba71c972c267f6e6b1572cc108a6

SHA1
2f595da6c3f768d628c1bbdfbc8de0b5e30315ec

SHA256
210d45a44ece1a221277d4bad6dcbf961044e164c52908602a2231e60092e6b1

SHA512
922768a03371563f2a62c7ced0ab12447a1810c57dfedeaa68242073acb9e3bfdbf386049b8482466e61a5c858f1764f7646bbbe84947713c10eb472e0d3f2bf

Download Submit
C:\Users\Admin\AppData\Roaming\SickCash\license.dat

MD5
3c6263a9c4117c78d26fc4380af014f2

SHA1
eca410dd57af16227220e08067c1895c258eb92b

SHA256
29d2a8344bd725d7a8b43cc77a82b3db57a5226ce792ac4b37e7f73ec468510e

SHA512
0969cde0d327b9f4b2be708437aea2a1d7a9ba9482125e143ce25c6a2f07e8ee1fa9b23e12f4e88157305f59209e2a8b3a2b2e7eb143b114e3f0c95ba57a2e1a

Download Submit
\Users\Admin\AppData\Local\Temp\arrive_x64.tmp

MD5
0733ba71c972c267f6e6b1572cc108a6

SHA1
2f595da6c3f768d628c1bbdfbc8de0b5e30315ec

SHA256
210d45a44ece1a221277d4bad6dcbf961044e164c52908602a2231e60092e6b1

SHA512
922768a03371563f2a62c7ced0ab12447a1810c57dfedeaa68242073acb9e3bfdbf386049b8482466e61a5c858f1764f7646bbbe84947713c10eb472e0d3f2bf

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite64.dll

MD5
26d773a69f6fad3200d49a7aaa77752b

SHA1
3970ffe8aefe0c30daaec65b85fb103c0fc0f2a7

SHA256
fca6b7fe66ad9973f18f407e83b56dacd04197cbd35efc498a342d73d6a113e5

SHA512
0041b52514460dda19dd065fc46393f6fbe248a4c62fce28e0819abd952756996b34fdea286eb7814a7c868a12656a065278932760e61e53f7102b0dba324e4f

Download Submit
memory/512-13-0x0000000000000000-mapping.dmp

Download
memory/636-2-0x0000000000830000-0x0000000000837000-memory.dmp

Filesize
28KB

Download
memory/688-19-0x0000000000000000-mapping.dmp

Download
memory/1580-18-0x0000000000000000-mapping.dmp

Download
memory/2000-14-0x0000000000000000-mapping.dmp

Download
memory/2564-20-0x0000000000000000-mapping.dmp

Download
memory/2960-8-0x0000013C81290000-0x0000013C81295000-memory.dmp

Filesize
20KB

Download
memory/2960-7-0x0000013C81500000-0x0000013C81558000-memory.dmp

Filesize
352KB

Download
memory/2960-3-0x0000000000000000-mapping.dmp

Download
memory/3244-9-0x0000000000000000-mapping.dmp

Download
memory/3328-17-0x0000000000000000-mapping.dmp

Download
memory/3344-16-0x0000000000000000-mapping.dmp

Download
memory/3424-15-0x0000000000000000-mapping.dmp

Download
memory/3692-12-0x0000000000000000-mapping.dmp

Download
memory/3844-21-0x0000000000000000-mapping.dmp

Download
memory/3868-10-0x0000000000000000-mapping.dmp

Download
memory/3996-11-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads