icedid | 3632bc3aa58008650c9633e908804b5db470311e8e6de3a08a8ca598327b2a41

Resubmissions

25-10-2021 17:24

211025-vy3lysgdf3 10

24-10-2021 11:10

211024-m94z6aehal 10

Analysis

max time kernel
151s
max time network
150s
platform
windows7_x64
resource
win7-en-20211014
submitted
24-10-2021 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pub3.exe
Size

335KB
MD5

e34cba52b1206c828978872b9338f430
SHA1

7b03d09434b98a479c8b3e84a2abf990e3918b93
SHA256

3632bc3aa58008650c9633e908804b5db470311e8e6de3a08a8ca598327b2a41
SHA512

62ece1d4a19e5572fb2a2af9c9810f56fa95e9449b4133a5ce4635e928c237de48bdac0b480ef70c7a59ba0f287bd409ab618b1e4ffe557b41070a5cd16d1353

Score

10^/10

icedid smokeloader 1875681804 backdoor banker suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Extracted

Family

icedid

Campaign

1875681804

enticationmetho.ink

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

ECEE.exe1B20.exeSmartClock.exe

pid process

788 ECEE.exe
1948 1B20.exe
1312 SmartClock.exe
Deletes itself 1 IoCs

Processes:

pid process

1252
Drops startup file 1 IoCs

Processes:

1B20.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 1B20.exe
Loads dropped DLL 5 IoCs

Processes:

1B20.exe

pid process

1252
1252
1948 1B20.exe
1948 1B20.exe
1948 1B20.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
788	ECEE.exe
1948	1B20.exe
1312	SmartClock.exe

pid	process
1252

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	1B20.exe

pid	process
1252
1252
1948	1B20.exe
1948	1B20.exe
1948	1B20.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub3.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ECEE.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	ECEE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	ECEE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	ECEE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	ECEE.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

1312 SmartClock.exe

pid	process
1312	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub3.exe

pid	process
1580	pub3.exe
1580	pub3.exe
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1252
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub3.exe

pid process

1580 pub3.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1252
1252
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1252
1252
1252
1252

pid	process
1252

pid	process
1252
1252

pid	process
1252
1252
1252
1252

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

1B20.exe

description	pid	process	target process
PID 1252 wrote to memory of 788	1252		ECEE.exe
PID 1252 wrote to memory of 788	1252		ECEE.exe
PID 1252 wrote to memory of 788	1252		ECEE.exe
PID 1252 wrote to memory of 1948	1252		1B20.exe
PID 1252 wrote to memory of 1948	1252		1B20.exe
PID 1252 wrote to memory of 1948	1252		1B20.exe
PID 1252 wrote to memory of 1948	1252		1B20.exe
PID 1948 wrote to memory of 1312	1948	1B20.exe	SmartClock.exe
PID 1948 wrote to memory of 1312	1948	1B20.exe	SmartClock.exe
PID 1948 wrote to memory of 1312	1948	1B20.exe	SmartClock.exe
PID 1948 wrote to memory of 1312	1948	1B20.exe	SmartClock.exe

C:\Users\Admin\AppData\Local\Temp\pub3.exe
"C:\Users\Admin\AppData\Local\Temp\pub3.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1580

C:\Users\Admin\AppData\Local\Temp\ECEE.exe
C:\Users\Admin\AppData\Local\Temp\ECEE.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:788

C:\Users\Admin\AppData\Local\Temp\1B20.exe
C:\Users\Admin\AppData\Local\Temp\1B20.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:1312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1B20.exe
MD5
87298d878454b01a575fa91744008cb8

SHA1
76be4a6c063f4e3b5e2e9c1f365bf50cf1a1f025

SHA256
308a45a744327c9c3aece85566c40997ef7ad1b483294431908e29b01c64acbe

SHA512
1874d9e17c1b0f306b0c3482377c6fd1515ea3a58e9a72b4ea28f07cbd21c7159c628111bdefd14cab49cd14314f8a36e516dec251d543cebea48d1d93d308fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B20.exe
MD5
87298d878454b01a575fa91744008cb8

SHA1
76be4a6c063f4e3b5e2e9c1f365bf50cf1a1f025

SHA256
308a45a744327c9c3aece85566c40997ef7ad1b483294431908e29b01c64acbe

SHA512
1874d9e17c1b0f306b0c3482377c6fd1515ea3a58e9a72b4ea28f07cbd21c7159c628111bdefd14cab49cd14314f8a36e516dec251d543cebea48d1d93d308fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECEE.exe
MD5
81fc38de5b6197c4db58eb506037e7cb

SHA1
c2258ab3204e6061d548df202c99aa361242d848

SHA256
2b9cba43290c9d4cc2d6a47432ddac5752c63e5ac519c2056ba466580424ed3b

SHA512
4c96e9104e55454e741a13be34a7c5a3afb8d0d17c1924d629acbd487975d88d4435fd46b34649defe2d047ff4c84e06c4a0d0176085c7b5ab4d80eed18b0d9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk
MD5
74a1ddc5af9f00c8939a71e3d4644f12

SHA1
b55a65c523771ffa07a0464bd624391ffb1fac2c

SHA256
2c8d2abeee3912b89beea27bbc9e8bfada345146da65d7a266854ec00c3da9b4

SHA512
28172d75c58d4e2ea871ddeb14447457a9a53949099eb9715216f61ec8cf57e7bd6f5fb13238d9f47e1a3b7e4381e15ef5d39a192d4f49ba010c126e336eeb31

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
87298d878454b01a575fa91744008cb8

SHA1
76be4a6c063f4e3b5e2e9c1f365bf50cf1a1f025

SHA256
308a45a744327c9c3aece85566c40997ef7ad1b483294431908e29b01c64acbe

SHA512
1874d9e17c1b0f306b0c3482377c6fd1515ea3a58e9a72b4ea28f07cbd21c7159c628111bdefd14cab49cd14314f8a36e516dec251d543cebea48d1d93d308fc

Download Submit
\Users\Admin\AppData\Local\Temp\ECEE.exe
MD5
81fc38de5b6197c4db58eb506037e7cb

SHA1
c2258ab3204e6061d548df202c99aa361242d848

SHA256
2b9cba43290c9d4cc2d6a47432ddac5752c63e5ac519c2056ba466580424ed3b

SHA512
4c96e9104e55454e741a13be34a7c5a3afb8d0d17c1924d629acbd487975d88d4435fd46b34649defe2d047ff4c84e06c4a0d0176085c7b5ab4d80eed18b0d9a

Download Submit
\Users\Admin\AppData\Local\Temp\ECEE.exe
MD5
81fc38de5b6197c4db58eb506037e7cb

SHA1
c2258ab3204e6061d548df202c99aa361242d848

SHA256
2b9cba43290c9d4cc2d6a47432ddac5752c63e5ac519c2056ba466580424ed3b

SHA512
4c96e9104e55454e741a13be34a7c5a3afb8d0d17c1924d629acbd487975d88d4435fd46b34649defe2d047ff4c84e06c4a0d0176085c7b5ab4d80eed18b0d9a

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
87298d878454b01a575fa91744008cb8

SHA1
76be4a6c063f4e3b5e2e9c1f365bf50cf1a1f025

SHA256
308a45a744327c9c3aece85566c40997ef7ad1b483294431908e29b01c64acbe

SHA512
1874d9e17c1b0f306b0c3482377c6fd1515ea3a58e9a72b4ea28f07cbd21c7159c628111bdefd14cab49cd14314f8a36e516dec251d543cebea48d1d93d308fc

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
87298d878454b01a575fa91744008cb8

SHA1
76be4a6c063f4e3b5e2e9c1f365bf50cf1a1f025

SHA256
308a45a744327c9c3aece85566c40997ef7ad1b483294431908e29b01c64acbe

SHA512
1874d9e17c1b0f306b0c3482377c6fd1515ea3a58e9a72b4ea28f07cbd21c7159c628111bdefd14cab49cd14314f8a36e516dec251d543cebea48d1d93d308fc

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
87298d878454b01a575fa91744008cb8

SHA1
76be4a6c063f4e3b5e2e9c1f365bf50cf1a1f025

SHA256
308a45a744327c9c3aece85566c40997ef7ad1b483294431908e29b01c64acbe

SHA512
1874d9e17c1b0f306b0c3482377c6fd1515ea3a58e9a72b4ea28f07cbd21c7159c628111bdefd14cab49cd14314f8a36e516dec251d543cebea48d1d93d308fc

Download Submit
memory/788-64-0x0000000140000000-0x0000000140009000-memory.dmp

Filesize
36KB

Download
memory/788-62-0x0000000000000000-mapping.dmp

Download
memory/1252-59-0x0000000002AE0000-0x0000000002AF6000-memory.dmp

Filesize
88KB

Download
memory/1312-73-0x0000000000000000-mapping.dmp

Download
memory/1312-80-0x0000000000400000-0x0000000001094000-memory.dmp

Filesize
12.6MB

Download
memory/1312-76-0x0000000001278000-0x00000000012F8000-memory.dmp

Filesize
512KB

Download
memory/1580-58-0x0000000000400000-0x0000000000883000-memory.dmp

Filesize
4.5MB

Download
memory/1580-55-0x0000000000A78000-0x0000000000A89000-memory.dmp

Filesize
68KB

Download
memory/1580-57-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/1580-56-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download
memory/1948-65-0x0000000000000000-mapping.dmp

Download
memory/1948-77-0x0000000000400000-0x0000000001094000-memory.dmp

Filesize
12.6MB

Download
memory/1948-75-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/1948-67-0x0000000001258000-0x00000000012D8000-memory.dmp

Filesize
512KB

Download