icedid | 3632bc3aa58008650c9633e908804b5db470311e8e6de3a08a8ca598327b2a41

General

Target

pub3.exe
Size

335KB
MD5

e34cba52b1206c828978872b9338f430
SHA1

7b03d09434b98a479c8b3e84a2abf990e3918b93
SHA256

3632bc3aa58008650c9633e908804b5db470311e8e6de3a08a8ca598327b2a41
SHA512

62ece1d4a19e5572fb2a2af9c9810f56fa95e9449b4133a5ce4635e928c237de48bdac0b480ef70c7a59ba0f287bd409ab618b1e4ffe557b41070a5cd16d1353

Score

10^/10

icedid smokeloader 1875681804 backdoor banker suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Extracted

Family

icedid

Campaign

1875681804

C2

enticationmetho.ink

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

967F.exeC3BA.exeSmartClock.exe

pid process

4660 967F.exe
536 C3BA.exe
820 SmartClock.exe
Deletes itself 1 IoCs

Processes:

pid process

2552
Drops startup file 1 IoCs

Processes:

C3BA.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk C3BA.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4660	967F.exe
536	C3BA.exe
820	SmartClock.exe

pid	process
2552

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	C3BA.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub3.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub3.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

820 SmartClock.exe

pid	process
820	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub3.exe

pid	process
3632	pub3.exe
3632	pub3.exe
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2552
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub3.exe

pid process

3632 pub3.exe

pid	process
2552

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

C3BA.exe

description	pid	process	target process
PID 2552 wrote to memory of 4660	2552		967F.exe
PID 2552 wrote to memory of 4660	2552		967F.exe
PID 2552 wrote to memory of 536	2552		C3BA.exe
PID 2552 wrote to memory of 536	2552		C3BA.exe
PID 2552 wrote to memory of 536	2552		C3BA.exe
PID 536 wrote to memory of 820	536	C3BA.exe	SmartClock.exe
PID 536 wrote to memory of 820	536	C3BA.exe	SmartClock.exe
PID 536 wrote to memory of 820	536	C3BA.exe	SmartClock.exe

C:\Users\Admin\AppData\Local\Temp\pub3.exe
"C:\Users\Admin\AppData\Local\Temp\pub3.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3632

C:\Users\Admin\AppData\Local\Temp\967F.exe
C:\Users\Admin\AppData\Local\Temp\967F.exe
1⤵
- Executes dropped EXE
PID:4660

C:\Users\Admin\AppData\Local\Temp\C3BA.exe
C:\Users\Admin\AppData\Local\Temp\C3BA.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:536

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\967F.exe
MD5
81fc38de5b6197c4db58eb506037e7cb

SHA1
c2258ab3204e6061d548df202c99aa361242d848

SHA256
2b9cba43290c9d4cc2d6a47432ddac5752c63e5ac519c2056ba466580424ed3b

SHA512
4c96e9104e55454e741a13be34a7c5a3afb8d0d17c1924d629acbd487975d88d4435fd46b34649defe2d047ff4c84e06c4a0d0176085c7b5ab4d80eed18b0d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\967F.exe
MD5
81fc38de5b6197c4db58eb506037e7cb

SHA1
c2258ab3204e6061d548df202c99aa361242d848

SHA256
2b9cba43290c9d4cc2d6a47432ddac5752c63e5ac519c2056ba466580424ed3b

SHA512
4c96e9104e55454e741a13be34a7c5a3afb8d0d17c1924d629acbd487975d88d4435fd46b34649defe2d047ff4c84e06c4a0d0176085c7b5ab4d80eed18b0d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C3BA.exe
MD5
87298d878454b01a575fa91744008cb8

SHA1
76be4a6c063f4e3b5e2e9c1f365bf50cf1a1f025

SHA256
308a45a744327c9c3aece85566c40997ef7ad1b483294431908e29b01c64acbe

SHA512
1874d9e17c1b0f306b0c3482377c6fd1515ea3a58e9a72b4ea28f07cbd21c7159c628111bdefd14cab49cd14314f8a36e516dec251d543cebea48d1d93d308fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\C3BA.exe
MD5
87298d878454b01a575fa91744008cb8

SHA1
76be4a6c063f4e3b5e2e9c1f365bf50cf1a1f025

SHA256
308a45a744327c9c3aece85566c40997ef7ad1b483294431908e29b01c64acbe

SHA512
1874d9e17c1b0f306b0c3482377c6fd1515ea3a58e9a72b4ea28f07cbd21c7159c628111bdefd14cab49cd14314f8a36e516dec251d543cebea48d1d93d308fc

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
87298d878454b01a575fa91744008cb8

SHA1
76be4a6c063f4e3b5e2e9c1f365bf50cf1a1f025

SHA256
308a45a744327c9c3aece85566c40997ef7ad1b483294431908e29b01c64acbe

SHA512
1874d9e17c1b0f306b0c3482377c6fd1515ea3a58e9a72b4ea28f07cbd21c7159c628111bdefd14cab49cd14314f8a36e516dec251d543cebea48d1d93d308fc

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
87298d878454b01a575fa91744008cb8

SHA1
76be4a6c063f4e3b5e2e9c1f365bf50cf1a1f025

SHA256
308a45a744327c9c3aece85566c40997ef7ad1b483294431908e29b01c64acbe

SHA512
1874d9e17c1b0f306b0c3482377c6fd1515ea3a58e9a72b4ea28f07cbd21c7159c628111bdefd14cab49cd14314f8a36e516dec251d543cebea48d1d93d308fc

Download Submit
memory/536-127-0x0000000001360000-0x00000000013F1000-memory.dmp

Filesize
580KB

Download
memory/536-126-0x00000000011A1000-0x0000000001221000-memory.dmp

Filesize
512KB

Download
memory/536-123-0x0000000000000000-mapping.dmp

Download
memory/536-132-0x0000000000400000-0x0000000001094000-memory.dmp

Filesize
12.6MB

Download
memory/820-131-0x0000000001451000-0x00000000014D1000-memory.dmp

Filesize
512KB

Download
memory/820-128-0x0000000000000000-mapping.dmp

Download
memory/820-133-0x00000000010A0000-0x00000000011EA000-memory.dmp

Filesize
1.3MB

Download
memory/820-134-0x0000000000400000-0x0000000001094000-memory.dmp

Filesize
12.6MB

Download
memory/2552-118-0x0000000000EB0000-0x0000000000EC6000-memory.dmp

Filesize
88KB

Download
memory/3632-115-0x0000000000B11000-0x0000000000B22000-memory.dmp

Filesize
68KB

Download
memory/3632-117-0x0000000000400000-0x0000000000883000-memory.dmp

Filesize
4.5MB

Download
memory/3632-116-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4660-119-0x0000000000000000-mapping.dmp

Download
memory/4660-122-0x0000000140000000-0x0000000140009000-memory.dmp

Filesize
36KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads