icedid | 2031990c23b02f14927d6e81c767671f030228a52f56ffba1dbc5a20d5cd3552

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-en-20211014
submitted
22-10-2021 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2031990c23b02f14927d6e81c767671f030228a52f56f.exe
Size

333KB
MD5

1af134c8d0c42c155d731736acdad0ed
SHA1

6fbdd621b41cad2aeec78697ef480e7ac9e4320d
SHA256

2031990c23b02f14927d6e81c767671f030228a52f56ffba1dbc5a20d5cd3552
SHA512

f0199832b27387951bc00bc19346b94ae8b4a324be4e3fcc4d331fe76904ea5234a91ba5cbd3e4f0d14fb4dd408804d130069dd3aef300ef48c0805cfa57e409

Score

10^/10

icedid smokeloader 1875681804 backdoor banker suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Extracted

Family

icedid

Campaign

1875681804

enticationmetho.ink

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

D8C2.exe2A2D.exeSmartClock.exe

pid process

940 D8C2.exe
1188 2A2D.exe
1272 SmartClock.exe
Deletes itself 1 IoCs

Processes:

pid process

1252
Drops startup file 1 IoCs

Processes:

2A2D.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 2A2D.exe
Loads dropped DLL 5 IoCs

Processes:

2A2D.exe

pid process

1252
1252
1188 2A2D.exe
1188 2A2D.exe
1188 2A2D.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
940	D8C2.exe
1188	2A2D.exe
1272	SmartClock.exe

pid	process
1252

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	2A2D.exe

pid	process
1252
1252
1188	2A2D.exe
1188	2A2D.exe
1188	2A2D.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2031990c23b02f14927d6e81c767671f030228a52f56f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2031990c23b02f14927d6e81c767671f030228a52f56f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2031990c23b02f14927d6e81c767671f030228a52f56f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2031990c23b02f14927d6e81c767671f030228a52f56f.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

D8C2.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	D8C2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	D8C2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	D8C2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	D8C2.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

1272 SmartClock.exe

pid	process
1272	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2031990c23b02f14927d6e81c767671f030228a52f56f.exe

pid	process
1600	2031990c23b02f14927d6e81c767671f030228a52f56f.exe
1600	2031990c23b02f14927d6e81c767671f030228a52f56f.exe
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1252
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

2031990c23b02f14927d6e81c767671f030228a52f56f.exe

pid process

1600 2031990c23b02f14927d6e81c767671f030228a52f56f.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1252
1252
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1252
1252
1252
1252

pid	process
1252

pid	process
1252
1252

pid	process
1252
1252
1252
1252

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2A2D.exe

description	pid	process	target process
PID 1252 wrote to memory of 940	1252		D8C2.exe
PID 1252 wrote to memory of 940	1252		D8C2.exe
PID 1252 wrote to memory of 940	1252		D8C2.exe
PID 1252 wrote to memory of 1188	1252		2A2D.exe
PID 1252 wrote to memory of 1188	1252		2A2D.exe
PID 1252 wrote to memory of 1188	1252		2A2D.exe
PID 1252 wrote to memory of 1188	1252		2A2D.exe
PID 1188 wrote to memory of 1272	1188	2A2D.exe	SmartClock.exe
PID 1188 wrote to memory of 1272	1188	2A2D.exe	SmartClock.exe
PID 1188 wrote to memory of 1272	1188	2A2D.exe	SmartClock.exe
PID 1188 wrote to memory of 1272	1188	2A2D.exe	SmartClock.exe

C:\Users\Admin\AppData\Local\Temp\2031990c23b02f14927d6e81c767671f030228a52f56f.exe
"C:\Users\Admin\AppData\Local\Temp\2031990c23b02f14927d6e81c767671f030228a52f56f.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1600

C:\Users\Admin\AppData\Local\Temp\D8C2.exe
C:\Users\Admin\AppData\Local\Temp\D8C2.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:940

C:\Users\Admin\AppData\Local\Temp\2A2D.exe
C:\Users\Admin\AppData\Local\Temp\2A2D.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:1272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2A2D.exe
MD5
89f4a226f68aace5e2582edb8d4a0a18

SHA1
852e4183652f4642f95941f76f3bdd41245dbffc

SHA256
7754f3b20e8e24f8fa2a239e68d5541f2db0310837c941594dadc1e1a266f1f0

SHA512
3dd20d30430ff1a95dba3d17bdef889ac55aea16629cf3f3f796c5a8e18ac4e13c50cc1a014abda4f8ea15f85d4ab6640bc041592c8fe9ed74387018c12b8509

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A2D.exe
MD5
89f4a226f68aace5e2582edb8d4a0a18

SHA1
852e4183652f4642f95941f76f3bdd41245dbffc

SHA256
7754f3b20e8e24f8fa2a239e68d5541f2db0310837c941594dadc1e1a266f1f0

SHA512
3dd20d30430ff1a95dba3d17bdef889ac55aea16629cf3f3f796c5a8e18ac4e13c50cc1a014abda4f8ea15f85d4ab6640bc041592c8fe9ed74387018c12b8509

Download Submit
C:\Users\Admin\AppData\Local\Temp\D8C2.exe
MD5
81fc38de5b6197c4db58eb506037e7cb

SHA1
c2258ab3204e6061d548df202c99aa361242d848

SHA256
2b9cba43290c9d4cc2d6a47432ddac5752c63e5ac519c2056ba466580424ed3b

SHA512
4c96e9104e55454e741a13be34a7c5a3afb8d0d17c1924d629acbd487975d88d4435fd46b34649defe2d047ff4c84e06c4a0d0176085c7b5ab4d80eed18b0d9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk
MD5
8c138b4207e9651cf1544828389fc66c

SHA1
f6bd0285c2d7fe31392545526976007aace380e4

SHA256
b812c3aa591874c24d21a6712d4ff0b9018fe7320493d715933240731937374a

SHA512
8f551b365df4585fcc57279149160bda647b897f0f644e36625e8b4f5343065f7667950d0f727e7464eb0cfd2045c835ac46320e0a3db0391238c43c01aae457

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
89f4a226f68aace5e2582edb8d4a0a18

SHA1
852e4183652f4642f95941f76f3bdd41245dbffc

SHA256
7754f3b20e8e24f8fa2a239e68d5541f2db0310837c941594dadc1e1a266f1f0

SHA512
3dd20d30430ff1a95dba3d17bdef889ac55aea16629cf3f3f796c5a8e18ac4e13c50cc1a014abda4f8ea15f85d4ab6640bc041592c8fe9ed74387018c12b8509

Download Submit
\Users\Admin\AppData\Local\Temp\D8C2.exe
MD5
81fc38de5b6197c4db58eb506037e7cb

SHA1
c2258ab3204e6061d548df202c99aa361242d848

SHA256
2b9cba43290c9d4cc2d6a47432ddac5752c63e5ac519c2056ba466580424ed3b

SHA512
4c96e9104e55454e741a13be34a7c5a3afb8d0d17c1924d629acbd487975d88d4435fd46b34649defe2d047ff4c84e06c4a0d0176085c7b5ab4d80eed18b0d9a

Download Submit
\Users\Admin\AppData\Local\Temp\D8C2.exe
MD5
81fc38de5b6197c4db58eb506037e7cb

SHA1
c2258ab3204e6061d548df202c99aa361242d848

SHA256
2b9cba43290c9d4cc2d6a47432ddac5752c63e5ac519c2056ba466580424ed3b

SHA512
4c96e9104e55454e741a13be34a7c5a3afb8d0d17c1924d629acbd487975d88d4435fd46b34649defe2d047ff4c84e06c4a0d0176085c7b5ab4d80eed18b0d9a

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
89f4a226f68aace5e2582edb8d4a0a18

SHA1
852e4183652f4642f95941f76f3bdd41245dbffc

SHA256
7754f3b20e8e24f8fa2a239e68d5541f2db0310837c941594dadc1e1a266f1f0

SHA512
3dd20d30430ff1a95dba3d17bdef889ac55aea16629cf3f3f796c5a8e18ac4e13c50cc1a014abda4f8ea15f85d4ab6640bc041592c8fe9ed74387018c12b8509

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
89f4a226f68aace5e2582edb8d4a0a18

SHA1
852e4183652f4642f95941f76f3bdd41245dbffc

SHA256
7754f3b20e8e24f8fa2a239e68d5541f2db0310837c941594dadc1e1a266f1f0

SHA512
3dd20d30430ff1a95dba3d17bdef889ac55aea16629cf3f3f796c5a8e18ac4e13c50cc1a014abda4f8ea15f85d4ab6640bc041592c8fe9ed74387018c12b8509

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
89f4a226f68aace5e2582edb8d4a0a18

SHA1
852e4183652f4642f95941f76f3bdd41245dbffc

SHA256
7754f3b20e8e24f8fa2a239e68d5541f2db0310837c941594dadc1e1a266f1f0

SHA512
3dd20d30430ff1a95dba3d17bdef889ac55aea16629cf3f3f796c5a8e18ac4e13c50cc1a014abda4f8ea15f85d4ab6640bc041592c8fe9ed74387018c12b8509

Download Submit
memory/940-64-0x0000000140000000-0x0000000140009000-memory.dmp

Filesize
36KB

Download
memory/940-62-0x0000000000000000-mapping.dmp

Download
memory/1188-65-0x0000000000000000-mapping.dmp

Download
memory/1188-67-0x0000000000A09000-0x0000000000A88000-memory.dmp

Filesize
508KB

Download
memory/1188-72-0x0000000000320000-0x00000000003B1000-memory.dmp

Filesize
580KB

Download
memory/1188-75-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/1252-59-0x0000000002AE0000-0x0000000002AF6000-memory.dmp

Filesize
88KB

Download
memory/1272-74-0x0000000000000000-mapping.dmp

Download
memory/1272-78-0x0000000000D59000-0x0000000000DD8000-memory.dmp

Filesize
508KB

Download
memory/1272-80-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/1600-58-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1600-57-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/1600-55-0x0000000000A29000-0x0000000000A39000-memory.dmp

Filesize
64KB

Download
memory/1600-56-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download